The FBI’s IC3 warns of the Kali365 phishing-as-a-service kit, which hijacks Microsoft 365 access tokens. The activity is designed for account takeover and downstream fraud using token theft rather than traditional credential capture alone.

The FBI’s Internet Crime Complaint Center (IC3) issued a public notice about Kali365, a phishing-as-a-service (PhaaS) kit that targets Microsoft 365 environments by stealing access tokens. In the IC3 alert, the mechanism is presented as a way to bypass common defenses: attackers aim to obtain session access through token hijacking, which can enable continued authenticated activity without needing to repeatedly re-enter passwords. Token theft is particularly dangerous because it can turn a compromise into immediate account control, allowing criminals to access email, files, and other resources associated with the victim tenant. From there, fraud can escalate quickly—threat actors may impersonate the account owner to conduct wire-transfer scams, deploy additional phishing to contacts, or distribute malicious links from trusted channels. The IC3 notice frames Kali365 as part of an ecosystem where the phishing infrastructure and operational capabilities are packaged and sold or enabled to other criminals. That business model lowers the barrier for attackers and can increase the number of victims. For organizations, the practical takeaway is to treat token protection, session monitoring, and phishing resistance as core controls. While end-user training still matters, token-based compromise underscores the need for identity security measures that detect unusual logins and revoke sessions when compromise indicators appear. The alert also reinforces the importance of reporting incidents to allow trend tracking.