FBI Warns of New Phishing-as-a-Service Platform Targeting Microsoft 365

The FBI has warned that a new Phishing-as-a-Service (PhaaS) platform called Kali365 is targeting Microsoft 365 access tokens, enabling attackers to bypass multi-factor authentication (MFA) without stealing user credentials. First observed in April 2026, Kali365 is distributed via Telegram and provides cybercriminals with AI-generated phishing lures, automated campaign templates, real-time tracking dashboards, and OAuth token capture capabilities. The platform lowers the technical barrier for attackers, allowing even less-skilled threat actors to execute phishing campaigns. No specific CVE IDs or victim counts were disclosed in the report.