This spring, there was a subtle change in the threat landscape that doesn’t make a big announcement. A phishing platform known as Kali365 started making the rounds on Telegram in April 2026. The FBI took notice. By June, the bureau had released a formal Public Service Announcement, which is the kind of alert that you really shouldn’t scroll past if you manage corporate accounts or work in IT.
Kali365’s sophistication in the conventional sense is not what sets it apart. Actually, it’s the opposite. The platform is designed to give relatively inexperienced attackers the tools that would typically require years of experience. AI-generated phishing lures, automated campaign templates, and real-time tracking dashboards are all included in a subscription service that is distributed via a messaging app that most people associate with sports betting advice and political dissidents.
There is absolutely no password theft involved in the core attack. It is worthwhile to pay attention to because of this. Rather, the attacker poses as a well-known cloud service and sends an email that appears to be a Microsoft file-share notification, the kind that appears in inboxes numerous times every day. A device code and instructions to go to a genuine Microsoft verification page and enter it are embedded in that email. The Microsoft page doesn’t appear suspicious in any way. It is genuine. Unknowingly granting the attacker’s device access to their account, the user goes there and inputs the code. The attacker then obtains OAuth tokens, which are essentially digital keys that allow continuous access to Teams, OneDrive, and Outlook without the need for a password or any other multi-factor authentication step. Because the attacker did not initiate the MFA challenge in the manner that a conventional login would, it never occurs.
Watching a security measure as well-known as MFA circumvented through a well-thought-out user experience rather than a complex technical exploit is especially frustrating. No malicious link is clicked by the victim. Nothing is downloaded by them. They just follow the instructions in the email on a page that appears exactly as it should. It’s difficult to ignore the fact that these attacks are becoming more and more focused on persuading someone to give up the key rather than on cracking the lock.

Although a little technical, the FBI’s advice is useful. It is recommended that organizations create conditional access policies that restrict who can use device code authentication flows and, if feasible, completely block or restrict them. Before making those changes, it’s important to audit current usage; otherwise, businesses run the risk of excluding legitimate processes. This is not glamorous work at all. IT departments often put this type of thorough configuration review at the bottom of the priority list until something goes wrong. Considering how Kali365 is being distributed, it’s possible that organizations that aren’t aware of it already have something.
The extent to which this platform has been used and the number of compromised accounts are still unknown. It is evident from the FBI’s warning that the subscription model for cybercrime is still developing. Medusa, BlackSuit, Akira, and RansomHub are just a few examples of the ransomware-as-a-service patterns that have been documented for years. Now, phishing infrastructure is using the same commercial reasoning. Entry barriers continue to decline. The tools continue to improve. And the targets are still, for the most part, the same overburdened business users who check their email on a Tuesday afternoon.
Anyone who believes they have been impacted is advised to report an incident to the Internet Crime Complaint Center at ic3.gov. Phishing email headers, suspicious login timestamps, IP addresses, and any new devices added to an account are all important details. The FBI uses that information, combined from various reports, to create a picture of the areas where these campaigns are active.

