The FBI has issued a fresh warning about a growing cybercrime service known as Kali365, a new Phishing-as-a-Service (PhaaS) platform that enables attackers to hijack Microsoft 365 accounts without stealing passwords directly. According to the FBI, the Kali365 phishing kit allows even low-skilled cybercriminals to bypass multi-factor authentication (MFA) protections by abusing Microsoft’s legitimate device authentication workflow.

The platform, which surfaced in April 2026, is being distributed primarily through Telegram channels and is already being linked to hundreds of phishing campaigns targeting organizations and individuals worldwide.

Instead of collecting usernames and passwords,...