Cybercriminals are increasingly leveraging user-friendly services to gain unauthorized access to **Microsoft 365** accounts, according to a recent warning from the **FBI**. The agency highlighted **Kali365**, a **Telegram**-based service, as a significant threat. # Kali365: Phishing-as-a-Service **Kali365** is a Phishing-as-a-Service (PhaaS) platform that allows cybercriminals to capture legitimate OAuth tokens, granting them widespread access to **Microsoft 365** environments. The **FBI** notes that **Kali365** has been active since April 2026, primarily distributed via **Telegram**. It enables threat actors to obtain **Microsoft 365** access tokens and bypass multi-factor authentication (MFA) without directly intercepting user credentials. # How Kali365 Works Attackers utilizing **Kali365** send phishing emails that impersonate trusted cloud productivity and document-sharing services. These emails contain codes and instructions that direct victims to legitimate **Microsoft** verification pages. Unsuspecting users who enter the code on these pages inadvertently authorize the attacker's device to access their account. With the acquired OAuth access and refresh tokens, hackers can then access **Microsoft 365** services such as **Outlook**, **Teams**, and **OneDrive** without needing a password or additional verification. # Industry Warnings Cybersecurity firms like **Proofpoint**, **IBM**, and **Huntress** have issued warnings about the increasing number of attacks leveraging **Kali365** and similar PhaaS platforms. **Arctic Wolf** reported dealing with a large campaign of attacks enabled by **Kali365** in April, where attackers tricked victims into authorizing threat actor-initiated sessions through legitimate **Microsoft** device login flows. **Arctic Wolf** further detailed that captured OAuth access and refresh tokens enabled immediate mailbox access and post-compromise activity. In some instances, malicious inbox rules were established to suppress security notifications, extending the dwell time and reducing user awareness. # Kali365 Pricing and Features **Arctic Wolf** researchers gained access to the **Kali365** system and discovered that it operates on a tiered pricing model, ranging from $250 for 30 days to $2,000 for 365 days. The platform allows cybercriminals to generate branded phishing lures using well-known services like **Adobe**, **DocuSign**, and **SharePoint**, offering lures in multiple languages, layouts, and design themes. **Kali365** generates both HTML phishing pages and phishing emails, and even offers a downloadable desktop version for its users. # The Professionalization of Cybercrime Cybersecurity experts emphasize that **Kali365** exemplifies the increasing professionalization and distribution of the cybercriminal ecosystem. Less skilled actors are now able to launch sophisticated attacks by leveraging these "as-a-service" platforms. This trend was further highlighted by **Microsoft**'s recent disruption of another “as-a-service” cybercriminal tool that abused legitimate services to deliver malware.