Microsoft 365 users targeted by new phishing threat that bypasses MFA
Microsoft 365 access tokens are being targeted by an emerging Phishing-as-a-Service (PhaaS) platform called Kali365, the FBI is warning.
First observed in April 2026, Kali365 has been distributed through Telegram, allowing cybercriminals to obtain Microsoft 365 access tokens and bypass MFA without stealing user credentials.
“Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities,” the FBI said.
This type of attack is known as device code phishing, where attackers trick users into logging into their accounts through a legitimate authentication flow and then steal their access and refresh tokens.
How the attack works
The attack starts with a phishing email that impersonates trusted cloud or document-sharing services and includes a device code with instructions to visit a legitimate Microsoft verification page.
After the victim enters the code, they unknowingly authorize the attacker’s device.
The attacker then captures OAuth access and refresh tokens, allowing continued access to Microsoft 365 services such as Outlook, Teams, and OneDrive without requiring a password or additional MFA prompts.
In its announcement, the FBI outlined several tips users and organizations can follow to protect themselves from device code phishing attacks.
Telegram-based phishing services
Researchers also recently identified EvilTokens, another PhaaS platform sold through Telegram.
The service gives less-experienced attackers ready-made tools for phishing campaigns, including fake login pages, Microsoft API automation, and AI-generated emails.
It also comes with templates built around common business notifications, such as SharePoint access requests, password expiration messages, and shared document alerts.
According to Barracuda Networks, the most common phishing themes in 2025 pushed users toward clicking links, scanning QR codes, opening attachments, or handing over personal information.