FBI Warns of Kali365 Phishing-as-a-Service Targeting Microsoft 365 Credentials

The FBI's Internet Crime Complaint Center (IC3) has issued a public service announcement warning organizations about Kali365, a phishing-as-a-service (PhaaS) platform that commoditizes sophisticated Microsoft 365 credential theft operations. The platform represents a concerning evolution in the cybercrime ecosystem, enabling low-skilled threat actors to deploy enterprise-grade phishing campaigns that can bypass multi-factor authentication and evade traditional security controls.

What Makes Kali365 Different

Kali365 isn't just another phishing kit. The platform provides a complete turnkey solution for credential harvesting, including pre-built phishing templates that closely mimic Microsoft 365 login pages, automated email delivery infrastructure, and real-time credential capture dashboards. The service handles the technical complexity of modern phishing operations, from SSL certificate provisioning to adversary-in-the-middle (AitM) attacks that can intercept session tokens even when MFA is enabled.

The PhaaS model dramatically lowers the barrier to entry for credential theft operations. Threat actors without coding skills or infrastructure management experience can launch campaigns within minutes. This democratization of advanced attack capabilities means organizations now face threats from a much broader range of adversaries than traditional nation-state or sophisticated criminal groups.

Attack Chain and Technical Capabilities

Kali365 campaigns typically begin with phishing emails that spoof legitimate Microsoft communications or business partners. These emails leverage social engineering tactics to create urgency—expiring passwords, security alerts, or document sharing notifications. Links in these messages redirect targets to attacker-controlled domains that host convincing replicas of Microsoft 365 login portals.

The platform's AitM functionality positions the phishing site as a proxy between the victim and legitimate Microsoft servers. When users enter credentials and complete MFA challenges, Kali365 captures everything—passwords, MFA codes, and critically, the session tokens that Microsoft issues after successful authentication. With these tokens, attackers gain immediate access to victim accounts without triggering additional authentication requirements.

• Real-time credential harvesting dashboards showing captured usernames, passwords, and session tokens
• Automated phishing page generation with customizable branding to match target organizations
• Built-in email delivery infrastructure to bypass spam filters
• Session token capture enabling immediate account access post-compromise
• Support for multiple phishing templates beyond Microsoft 365, including Outlook, SharePoint, and OneDrive themes

Observed Impact and Target Profile

According to the FBI's warning, Kali365 campaigns have successfully compromised accounts across multiple sectors. The platform particularly appeals to threat actors targeting small-to-medium businesses that may have less mature security programs while still maintaining valuable Microsoft 365 environments. Once inside, attackers typically pivot to business email compromise (BEC) schemes, data exfiltration, or ransomware deployment using the compromised accounts as initial access vectors.

The FBI has observed attackers using compromised accounts to launch secondary attacks against the victim organization's business partners and clients, leveraging the trusted relationship to expand their reach. This lateral movement beyond the initial target multiplies the damage from each successful phishing campaign.

Detection Challenges

Kali365 incorporates several features designed to evade detection. The platform rotates through infrastructure rapidly, using disposable domains and hosting providers to stay ahead of blocklists. Phishing pages often implement geofencing and user-agent filtering to present benign content to security scanners while showing malicious content to actual targets. Some campaigns use legitimate cloud hosting services like Azure or AWS, making network-based blocking more difficult without risking false positives.

Mitigation Recommendations

The FBI recommends organizations move beyond password and traditional MFA to implement phishing-resistant authentication methods. FIDO2 security keys and certificate-based authentication provide cryptographic verification that cannot be phished through AitM techniques. While the transition requires planning and investment, these technologies render platforms like Kali365 ineffective against protected accounts.

• Deploy phishing-resistant MFA such as FIDO2 security keys or Windows Hello for Business
• Implement conditional access policies that restrict sign-ins based on location, device compliance, and risk scoring
• Enable Microsoft Defender for Office 365 anti-phishing policies with advanced impersonation protection
• Configure alert rules for suspicious authentication patterns, new inbox rules, and unusual mail forwarding activity
• Conduct regular phishing simulations to maintain user awareness and identify high-risk individuals
• Review and revoke legacy authentication protocols that bypass modern authentication protections
• Implement application consent policies to prevent OAuth token theft through malicious applications

Bottom Line

Kali365 represents the continued industrialization of cybercrime, where sophisticated attack capabilities become productized and accessible to the masses. For defenders, this means the threat landscape continues to expand—not just in sophistication but in volume and variety of attackers. Traditional security controls that worked against less capable adversaries no longer provide adequate protection. Organizations must prioritize deployment of phishing-resistant authentication and invest in monitoring capabilities that can detect post-compromise indicators. The era of assuming MFA provides comprehensive protection for cloud credentials is over.