Kali365 Phishing-as-a-Service Exploits OAuth Token Capture Against Microsoft 365
The FBI has warned of Kali365, a Telegram-based phishing-as-a-service platform that captures legitimate OAuth tokens to gain unauthorised access to Microsoft 365 environments. The service has been actively used in campaigns since at least April 2024.
Affected
Kali365 represents a convergence of two established attack patterns: phishing-as-a-service (PaaS) platforms and OAuth token interception. Rather than relying on phishing credentials alone, the service captures legitimate bearer tokens issued during OAuth flows, which provide direct access to Microsoft 365 APIs and mailboxes without triggering step-up authentication or password-based detection signatures. This is technically more sophisticated than conventional credential theft.
OAuth tokens are particularly valuable because they represent authenticated sessions with specific scopes and limited lifespans, making them difficult to detect in audit logs compared to anomalous password-based logins. Once captured, threat actors can impersonate legitimate users, read email, modify forwarding rules, exfiltrate data, and move laterally within an organisation without prompting the user to re-authenticate. The fact that Kali365 is distributed via Telegram suggests low barrier to entry for criminal operators, likely pricing on a subscription or per-campaign basis typical of mature PaaS offerings.
The April 2024 attacks indicate this is not a hypothetical threat. Defenders should assume that any organisation receiving a phishing email carrying OAuth-baited links may have compromised tokens in circulation. Response should focus on token audit and revocation: reviewing sign-in logs for anomalous token usage patterns, checking Azure AD conditional access policies to detect token replay from unusual geographies or devices, and implementing strict application consent policies to prevent future token capture.
Broader implications are concerning because OAuth token theft sidesteps many defensive controls designed for credential-based intrusions. Multi-factor authentication protects the initial login but not the subsequent token use. Traditional indicators of compromise like failed login attempts are absent. This shifts the detection burden toward API call patterns, consent grant reviews, and token lifetime management. Organisations relying primarily on perimeter security and credential monitoring will find this threat particularly difficult to detect at scale.
The FBI advisory validates what security researchers have recognised in exploit communities for several years: token capture is a high-value objective for financially motivated threat actors. Organisations should prioritise Microsoft 365 token security hardening including device compliance policies for token consumption, short token lifespans, continuous access evaluation, and regular audits of application consent grants.
Sources