Kali365: The Phishing-as-a-Service Platform Weaponizing Microsoft's Own Authentication Against You
If you think MFA is your safety net, Kali365 just cut it. In May 2026, the FBI issued Public Service Announcement I-052126-PSA warning organizations about a rapidly emerging Phishing-as-a-Service (PhaaS) platform called Kali365. First observed in April 2026 and distributed openly through Telegram, Kali365 doesn’t steal your password. It doesn’t even need to. It steals something more valuable: your OAuth token, and with it, persistent, credential-free access to your entire Microsoft 365 environment. ...