FBI warns of new cyberattack leveraging Kali365 phishing kit to steal corporate Microsoft credentials

The Federal Bureau of Investigation (FBI) has issued an urgent cyber threat warning regarding "Kali365," a sophisticated, newly discovered phishing kit being deployed at scale to hijack corporate Microsoft environments. According to federal investigators, cybercriminals are utilizing the kit to target high-value organizations and aggressively bypass traditional cybersecurity defenses by stealing Microsoft OAuth tokens directly from unsuspecting employees.

Bypassing multi-factor authentication at scale

Unlike traditional phishing campaigns that trick users into surrendering static passwords, the Kali365 kit focuses heavily on pre-authenticated session details and OAuth authorization tokens.

Security analysts warn that this approach represents a devastatingly effective shift in cybercriminal tactics: by compromising the token itself, malicious actors can completely circumvent multi-factor authentication (MFA) protocols.

Once an employee interacts with a malicious email or spoofed portal generated by Kali365, the kit tricks the user into authorizing access or intercepts active browser sessions. This allows attackers to harvest session bearer tokens.

By simply replaying these stolen tokens to Microsoft servers, hackers are able to inherit the legitimate user's entire authenticated cloud session, gaining full privileges to enterprise emails, databases, and internal communications without ever triggering a password or secondary MFA prompt.

An industrialized "As-a-Service" threat

Federal authorities emphasize that the widespread deployment of Kali365 points to the growing commoditization of highly sophisticated cybercrime. Sold as a ready-to-use phishing framework on illicit digital marketplaces, the kit allows even relatively low-skilled threat actors to orchestrate advanced enterprise-level corporate identity theft.

The FBI notes that the campaign's massive scale is primarily designed to facilitate business email compromise (BEC), corporate espionage, and subsequent operational network extortion.

Once inside a network via a hijacked OAuth session, threat actors can alter financial routing details, siphon proprietary data, or establish persistent backdoors for future ransomware deployment.

Mitigating the threat

In light of the ongoing Kali365 campaign, the FBI and leading cybersecurity bodies are urging enterprise network administrators to immediately audit their identity and access management setups. Traditional security strategies relying solely on static credentials and basic MFA are no longer sufficient to stop modern token-theft toolkits.

Organizations are strongly advised to transition toward Zero-Trust architectures and implement strict device-compliance checks.

Additionally, security teams should configure shorter session lifespans, enforce context-aware conditional access policies, and transition to phishing-resistant authentication methods, such as hardware security keys, to effectively devalue the utility of intercepted OAuth tokens.