Kali365 steals Microsoft 365 tokens

ANY.RUN and the FBI have converged on the same point: Kali365 is not a normal credential-phishing kit. The service is built to capture Microsoft 365 OAuth tokens, which lets an attacker take over a live cloud session without ever learning the victim’s password. ANY.RUN said the platform was first observed in April 2026, and the FBI’s Internet Crime Complaint Center published a public warning on May 21. That distinction matters because the victim can still complete a real Microsoft sign-in flow, often with multi-factor authentication, while the attacker walks away with the token that proves the session is already trusted. The FBI said Kali365 is promoted through Telegram and enables threat actors to bypass MFA by abusing Microsoft 365 access-token flows. (any.run) ### If no password is stolen, what exactly gets taken? Microsoft 365 relies on OAuth tokens to maintain authenticated access to services after a user signs in. ANY.RUN said Kali365 focuses on stealing those authentication tokens instead of usernames, passwords or one-time codes, allowing persistent access to corporate cloud accounts. The practical result is session hijacking. (ic3.gov) Once an attacker has a valid access token — and in some cases a refresh token — they can act as the user inside Microsoft 365 until the token expires, is revoked or is otherwise invalidated. Security coverage tied the campaign to access across Outlook, Teams and OneDrive, extending the compromise from email into chat, files and shared workspaces. (any.run) ### How are victims tricked into authorizing the attacker? ANY.RUN’s earlier research on Microsoft device-code phishing described a pattern in which the attacker starts a legitimate device authorization flow and then persuades the victim to complete it on Microsoft’s own pages. In that model, the user is not typing credentials into a fake login page; the attacker is abusing a real authentication mechanism to obtain valid OAuth tokens. (ic3.gov) The FBI said Kali365 uses that approach at scale as a phishing-as-a-service offering. Because the authentication happens on legitimate Microsoft infrastructure, the usual warning signs of credential theft can be weaker, and the attacker’s gain is the session token rather than the password itself. ### Why does MFA not stop this on its own? The FBI warning is explicit that Kali365 can bypass multi-factor authentication, and ANY.RUN described the service as a shift from password theft to token abuse. (medium.com) In these cases, MFA may still be performed by the real user during sign-in, but the attacker benefits from the authenticated session that follows. (ic3.gov) That is why the control problem moves from “did the user present a second factor?” to “who is holding the resulting token, and how long does it remain valid?” The attack path is post-authentication, not a simple failure to require MFA. ### What can attackers reach after they land in Microsoft 365? The FBI and follow-on reporting said Kali365-linked compromises can expose Outlook, Teams and OneDrive. (any.run) That gives an intruder access not only to mailboxes, but also to chat histories, meeting artifacts, shared documents and cloud-stored files, depending on the user’s permissions and the scopes attached to the stolen token. (ic3.gov) ANY.RUN said Kali365 enables persistent access to business communications, files and collaboration platforms. In enterprise environments, that can also create a path for internal phishing, document theft and broader reconnaissance using the victim’s existing trust relationships. ### Why did the Microsoft outage matter in the same week? Microsoft said on June 1 it was investigating an issue that prevented some customers from setting up multi-factor authentication or accessing the My Sign-Ins portal at mysignins.microsoft.com. (ic3.gov) BleepingComputer later reported the issue had been fixed. The outage was a service incident, not part of the Kali365 intrusion activity. (any.run) But the timing underscored a separate operational point: identity defenses depend not only on MFA policy, but also on the availability of the enrollment and session-management tools users need to set up factors and review sign-ins. ### What should defenders watch next? (cybersecuritynews.com) The FBI’s May 21 advisory gives organizations a concrete reference point for this campaign, and ANY.RUN’s June 2026 tracking page adds technical detail on how Kali365 operates. Microsoft’s service-health and admin-center notices remain the place to monitor any follow-up on the MFA setup and My Sign-Ins incident. (ic3.gov) (cybersecuritynews.com)