The FBI/IC3 says the Telegram-distributed Kali365 kit can harvest Microsoft 365 OAuth access/refresh tokens, enabling persistent account takeovers. It can also help criminals bypass MFA and use automation and AI-generated phishing lures.

The FBI Internet Crime Complaint Center (IC3) warns about an emerging phishing-as-a-service (PhaaS) called Kali365, marketed through Telegram. According to the alert, the toolkit focuses on stealing Microsoft 365 OAuth tokens—specifically access and refresh tokens—rather than relying on victims to directly disclose passwords. Once the tokens are obtained, attackers can maintain access to compromised Microsoft 365 environments, often with long-lived capability that supports ongoing account takeover activity. The FBI notes the service can facilitate MFA bypass without capturing user passwords, making it more dangerous than typical phishing campaigns that only target credential entry. The alert also highlights the operational role of automation: criminals can use the service alongside AI-assisted or AI-generated phishing lures and other streamlined techniques to scale targeting. For organizations and individuals, the core risk is that normal sign-in protections can be weakened when attackers obtain authorization artifacts that are valid for the user’s session. The FBI’s message emphasizes vigilance around unexpected messages, careful handling of authentication prompts, and incident response readiness to detect token misuse and suspicious access patterns.