FBI Warns of Kali365 Phishing Service Bypassing Microsoft 365 MFA Protection

The token is proof you've already authenticated—the system trusts it implicitly.
Explaining why stolen OAuth tokens are more dangerous than stolen passwords in Microsoft 365 attacks.

In the ongoing contest between digital defenders and those who seek to undermine them, the FBI has issued a warning that marks a meaningful turning point: a phishing service known as Kali365 has learned to steal not just passwords, but the OAuth tokens that Microsoft 365 uses to confirm identity — rendering multi-factor authentication, long treated as a near-final answer to credential theft, insufficient on its own. The threat is not theoretical; it is active, and it asks organizations everywhere to reckon with the uncomfortable truth that security is never a destination, only a direction.

  • Kali365 doesn't just steal passwords — it captures the OAuth tokens that grant access to Microsoft 365 accounts, making MFA protection effectively irrelevant once a user is deceived.
  • The FBI's public warning signals that this is no fringe threat: security researchers across multiple firms have confirmed Kali365 is actively compromising real enterprise accounts right now.
  • The security industry's long-standing prescription of MFA as a primary defense has been overtaken by events, forcing an urgent reassessment of what adequate protection actually means in 2026.
  • Organizations are being pushed toward layered defenses — conditional access policies, behavioral analytics, and token binding — as the new minimum standard for cloud account security.
  • Administrators who treated MFA as a finish line now face the harder work of continuous monitoring and adaptive controls, with no single measure offering the confidence it once did.

The FBI has issued a public warning about Kali365, a phishing kit that has found a way around multi-factor authentication — the security measure that millions of organizations have come to rely on as their primary defense for Microsoft 365 accounts. The warning has drawn attention from security researchers across the industry, all reaching the same uncomfortable conclusion.

What makes Kali365 particularly dangerous is its method. Rather than attempting to steal passwords or intercept authentication codes, it targets OAuth tokens — the digital credentials that Microsoft 365 systems use to verify identity and grant access to email, files, and cloud services. When a user is deceived into entering their login information on a fake page, Kali365 captures the token itself. With a valid token in hand, an attacker can bypass MFA entirely and move freely through the account.

The implications cut deep. MFA became the standard recommendation precisely because it added a second layer of verification that passwords alone could not provide. For years, it was treated as a near-mandatory defense. Kali365 demonstrates that this assumption has aged poorly — threat actors are no longer trying to break through MFA, they are going around it by targeting the authentication mechanism itself.

Security experts are now urging organizations to layer additional protections on top of MFA rather than relying on it alone. Conditional access policies that restrict logins based on location, device, or network conditions can catch suspicious activity that a stolen token might otherwise enable. Behavioral analytics can flag deviations from normal user patterns. Token binding, which ties OAuth tokens to specific devices, can reduce the value of stolen credentials.

For Microsoft 365 administrators, the message is direct: the security posture that felt adequate months ago may no longer be. The FBI's warning about Kali365 is not a forecast — it describes a threat that is active today, succeeding with alarming regularity, and demanding a more layered and vigilant response.

The Federal Bureau of Investigation has issued a public warning about a phishing service called Kali365 that has found a way around one of the most widely trusted security tools in modern enterprise computing: multi-factor authentication. The threat is real enough that it has drawn attention from security researchers across multiple firms, all arriving at the same uncomfortable conclusion—the protective layer that millions of organizations have relied on to keep their Microsoft 365 accounts safe is no longer sufficient on its own.

Kali365 operates as a phishing kit, meaning it is a packaged set of tools designed to trick users into handing over their credentials. What makes it particularly dangerous is its ability to steal OAuth tokens—the digital keys that Microsoft 365 systems use to verify who you are and grant you access to your email, files, and other cloud services. When a user falls for the phishing attempt and enters their login information on a fake page, Kali365 captures not just the password but the OAuth token itself. This token is the real prize. Even if the account is protected by multi-factor authentication, once an attacker possesses a valid token, they can bypass that second layer of security entirely and gain full access to the account.

The implications are stark. Multi-factor authentication has become the standard recommendation for protecting sensitive accounts precisely because it requires a second form of verification—typically a code sent to a phone or generated by an authenticator app—in addition to a password. It has been treated as a near-mandatory defense against account takeover. But Kali365 demonstrates that this assumption has become outdated. Threat actors have evolved their techniques to the point where they can circumvent MFA by targeting the authentication mechanism itself rather than trying to break through it.

Security experts across the industry are now cautioning organizations that MFA alone cannot be trusted as a complete defense. The warning is not that MFA is useless—it still stops many attacks—but rather that it must be layered with additional protections. Conditional access policies, which restrict login attempts based on factors like geographic location, device type, and network conditions, can help catch suspicious activity that a stolen token might otherwise enable. Behavioral analytics, which learn what normal user activity looks like and flag deviations, offer another line of defense. Some organizations are also implementing token binding, which ties OAuth tokens to specific devices, making stolen tokens less useful to attackers.

The emergence of Kali365 marks a shift in the threat landscape. For years, the security industry has pushed organizations toward MFA as the primary defense against phishing and credential theft. That advice was sound at the time. But as phishing kits have become more sophisticated and more widely available, the attackers have adapted. They are no longer trying to guess passwords or intercept authentication codes. They are going after the tokens themselves, the digital proof of identity that systems trust implicitly.

For Microsoft 365 users and administrators, the message is clear: the security posture that felt adequate six months ago may not be adequate today. The work of defending cloud accounts has become more complex, requiring a combination of technical controls, user education, and continuous monitoring. Organizations that have treated MFA as a finish line rather than a checkpoint will need to reassess their approach. The FBI's warning about Kali365 is not a prediction of future risk—it is a description of a threat that is active right now, targeting real accounts, and succeeding with alarming regularity.

Security experts caution that MFA alone can no longer stop threat actors
— Industry security researchers responding to Kali365 threat
The Hearth Conversation Another angle on the story
Inventor

So when the FBI warns about Kali365, are they saying that multi-factor authentication is broken?

Model

Not exactly broken, but circumvented in a way that most organizations didn't anticipate. MFA still works—it still stops a lot of attacks. The problem is that Kali365 doesn't try to defeat MFA directly. It steals the OAuth token, which is the thing MFA protects. Once you have the token, you don't need the second factor anymore.

Inventor

But doesn't that mean the user has to fall for the phishing first? They have to enter their credentials on a fake page?

Model

Yes, that's the weak link. Kali365 is still a phishing kit at its core. It needs the user to be tricked into entering their login information. But here's what's changed: phishing has gotten very good at looking legitimate. And once someone does fall for it, the damage is much worse than it used to be.

Inventor

Why is the token more valuable than just having the password?

Model

Because the token is proof that you've already authenticated. It's like having a key that already passed through the lock. The system trusts it. A password alone, even a correct one, still triggers the MFA challenge. But a token bypasses that entirely.

Inventor

So what are organizations supposed to do? Just accept that MFA isn't enough?

Model

No, they're supposed to layer it. Add conditional access policies that watch for suspicious logins—wrong location, wrong device, wrong time of day. Add behavioral analytics that learn what normal looks like. The point is that no single defense works anymore. You need multiple overlapping protections.

Inventor

Does this mean the security advice we've been following for years is now wrong?

Model

Not wrong, just incomplete. MFA was always good advice. It still stops most attacks. But it was treated as a destination, like once you had it in place, you were done. Now we know you're never done. The threat evolves, and your defenses have to evolve with it.

Contact Us FAQ