The FBI/IC3 warns that Kali365, sold via Telegram, can hijack Microsoft 365 OAuth access tokens. It captures tokens when victims enter device codes on legitimate Microsoft authorization screens, allowing MFA bypass without stealing passwords.

The FBI’s Internet Crime Complaint Center (IC3) alert describes Kali365 as a “phishing-as-a-service” kit that lowers the barrier for criminals to launch credential theft and token theft campaigns. Instead of relying on password capture, the tool targets Microsoft 365 authorization flows. Victims are prompted to enter device codes during otherwise legitimate device-code authorization, and Kali365 captures OAuth tokens after the user approves the request. Those stolen tokens can be used to access Microsoft 365 resources and impersonate the victim’s session. The alert notes the kit is distributed through Telegram and is monetized as a subscription service. It also highlights that operators can generate phishing lures using AI, and that the platform may include tracking features to monitor victims’ activity. Because the attack occurs after device-code prompts are accepted, the FBI warns it can defeat MFA in practice. IC3 advises victims who believe they were impacted to file a complaint through the FBI’s IC3 system, supporting investigation and potential disruption of the phishing infrastructure.