The Federal Bureau of Investigation warned that the Kali365 phishing scam can hijack Microsoft 365 accounts by stealing OAuth tokens from targeted users.
The FBI said the phishing-as-a-service platform allows cybercriminals to access Outlook, Teams and OneDrive while appearing to be legitimate account holders.
Victims receive phishing emails disguised as trusted cloud-service messages. The emails include a device code and direct users to a real Microsoft verification page.
Users who enter the code unknowingly authorise an attacker-controlled device to access their Microsoft 365 account.
Kali365 offers subscription plans starting at $250 per month, according to the warning. The service includes AI-powered phishing emails, automated campaign templates and dashboards that track victims in real time.
Security researchers have reported thousands of Kali365 attacks since April. The campaigns targeted organisations in North America and Europe across manufacturing, healthcare, finance and government.
The FBI advised organisations to use Conditional Access policies in Microsoft Entra ID to block device code flow where possible.
Read: Facebook Phishing Campaign Hits 30,000 Accounts
Security experts also recommended phishing-resistant multi-factor authentication, including hardware security keys. Officials urged individual users not to click links or enter codes from unsolicited emails.
