Advisories 1 June 2026 / 0 Comments

FBI Warning: Kali365 Phishing-as-a-Service Platform Bypasses MFA to Hijack Microsoft 365 Accounts

Scope: Microsoft 365 and Microsoft Entra ID (All Organizations)

Severity: Red

The FBI issued Public Service Announcement PSA260521 on May 21, 2026, warning that Kali365, a phishing-as-a-service platform sold on Telegram for as little as $250 per month and first observed in April 2026, enables even low-skill attackers to bypass MFA entirely by abusing Microsoft's legitimate OAuth 2.0 Device Authorization grant flow. Victims receive phishing emails prompting them to enter a device code on Microsoft's genuine login page where, after completing MFA normally, they unknowingly authorize the attacker's session and hand over persistent OAuth access and refresh tokens granting access to Outlook, Teams, OneDrive, and any SSO-connected SaaS platforms without triggering further MFA prompts. Organizations should immediately create Conditional Access policies to block or restrict device code flow for all users where not operationally required, enable Microsoft Entra ID Protection alerts for device code phishing, and transition to phishing-resistant authentication methods such as FIDO2 passkeys.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.

FBI Warning: Kali365 Phishing-as-a-Service Platform Bypasses MFA to Hijack Microsoft 365 Accounts

Marimo Python Notebook Pre-Authentication RCE Now Weaponized with LLM-Driven Post-Exploitation (CVE-2026-39987)

Recent Advisories

Categories

Contact info

Useful Links

Subscribe to our Mailing List

FBI Warning: Kali365 Phishing-as-a-Service Platform Bypasses MFA to Hijack Microsoft 365 Accounts

RELATED ADVISORIES

Marimo Python Notebook Pre-Authentication RCE Now Weaponized with LLM-Driven Post-Exploitation (CVE-2026-39987)

Recent Advisories

Categories