The FBI says criminals are using a Telegram-based service called Kali365 to trick people into granting access to their Microsoft 365 accounts. The phishing-as-a-service platform, first seen in April 2026, abuses Microsoft's legitimate device-code login flow so victims authorize attacker-initiated sessions; the stolen OAuth access and refresh tokens can then be reused to access Outlook, Teams and OneDrive without needing the victim's password or another multi-factor authentication prompt.
Arctic Wolf Labs
2026.06.02
94% relevant
This is the same underlying Kali365 operation and device-code phishing activity, but with substantive new details: Arctic Wolf links the operator to 126 malicious hosts, shows panel and token-capture infrastructure, and says the campaign has expanded beyond Microsoft 365 lures to Okta, Xerox DocuShare, GMX, Mail.ru, Yandex Disk, Odnoklassniki, and MAX Messenger account-takeover pages.
Arctic Wolf Labs
2026.06.02
97% relevant
This is a direct follow-up on the same Kali365 operation: it adds new technical detail about the operator’s infrastructure, a cluster of 126 malicious hosts, and expansion beyond Microsoft 365-themed lures into Outlook, Okta, Xerox DocuShare, AWS-themed pages, and a MAX Messenger account-takeover campaign while continuing to abuse Microsoft OAuth device authorization to bypass MFA.
Lawrence Abrams
2026.05.25
99% relevant
This article is the same underlying event: the FBI public warning on Kali365. It adds detail on Kali365's Telegram-based distribution, its two attack modes including the adversary-in-the-middle 'Cookie Link' option, links to prior Arctic Wolf reporting, and the FBI's recommended mitigations such as restricting device-code authentication and reviewing unauthorized device registrations.
2026.05.22
100% relevant
This article establishes a distinct tracked story by tying April 2026 Microsoft 365 account-takeover campaigns to the specific Kali365 phishing-as-a-service platform and adding the FBI's public warning plus operational details on how the abuse works.