According to the FBI/IC3, Kali365 enables attackers to bypass MFA by harvesting Microsoft 365 token material. The phishing workflow centers on Microsoft device-code entry and subsequent OAuth token capture.

The FBI/IC3 public service announcement frames Kali365 as a token-focused phishing-as-a-service platform designed for relatively non-technical threat actors. The kit is reportedly distributed via Telegram and offered on a subscription basis. Its core method targets Microsoft 365 OAuth authorization artifacts rather than user passwords. In the described scheme, victims receive a prompt that leads them to participate in a legitimate-looking Microsoft authorization process. During the device-code flow, the victim enters a device code on a Microsoft authorization page. Kali365 then captures the resulting OAuth tokens once the victim approves the authorization. With those tokens, criminals can potentially reuse the authenticated session context to access accounts and services. The FBI emphasizes that this approach can effectively bypass MFA because the account security step is satisfied by the user’s approval in the device-code flow. The PSA also states that the service may generate AI-assisted phishing lures and provide mechanisms to track campaign performance. If users suspect exposure, IC3 encourages filing an official complaint so the incident can be investigated and the broader phishing campaign can be linked to related activity.