Overview
- The FBI issued a public service announcement on 21 May warning that Kali365, a phishing‑as‑a‑service platform, can capture OAuth access and refresh tokens to compromise Microsoft 365 accounts.
- The attack uses Microsoft’s legitimate device‑code sign‑in flow by sending a short code and a link to a real Microsoft verification page so victims unknowingly authorize an attacker’s device.
- Kali365 is sold as a subscription toolkit on Telegram that supplies AI‑generated lures, automated templates, tracking dashboards and token‑capture tooling, with reported prices starting around $250 per month.
- Stolen access and refresh tokens let attackers read Outlook messages, access OneDrive and Teams data, send credible phishing from the victim’s account, and maintain access until tokens are revoked or expire.
- The FBI urges defenders to block or restrict device‑code flow using Microsoft Entra ID conditional access, audit device‑code use, deploy phishing‑resistant MFA and report incidents to the Internet Crime Complaint Center at ic3.gov.