Not All Breaches Start with a Password: Meet Kali365

The FBI recently released a public service announcement warning organizations about a new Phishing-as-a-Service platform called Kali365. While it may appear similar to traditional phishing campaigns, the way it operates is fundamentally different from what we’ve seen before.

Unlike most, Kali365 does not attempt to steal user passwords, instead, it targets the authentication process itself, allowing attackers to gain access without ever needing to intercept credentials.

What is Kali365?

Kali365 is a subscription-based phishing toolkit that enables attackers, even those with limited technical experience, to carry out highly effective attacks against Microsoft 365 environments. Rather than capturing credentials or intercepting multi-factor authentication (MFA) codes, the platform focuses on obtaining OAuth₍₁₎ access tokens₍₂₎, which grants direct access to the user’s environment and avoids cyberattack prevention mechanisms.  ‍

‍

How the Attack Works:

What makes Kali365 so effective, and worth paying attention to, is that it leverages legitimate Microsoft features against the user. Instead of exploiting a vulnerability, it exploits the normal authentication process in a way that looks completely expected.

To understand how, it helps to picture a familiar scenario: you've probably signed into a streaming app on your TV by visiting a website on your phone and entering a short code displayed on the screen. That's called device code authentication: a feature designed for devices that can't handle a traditional login. You enter the code, the device gets access, and you never had to type a password directly into the TV. Kali365 abuses that exact feature. The attacker generates the code and tricks the user into completing the authentication on their behalf.

The FBI outlines the attack sequence as follows:

1. An attacker generates a device authentication code through Microsoft (the same type of code used to sign into apps on smart TV’s or other similar devices. This code is tied to the attacker's session and is what will eventually grant them access.
2. The attacker sends a phishing email containing that legitimate Microsoft device code, along with instructions to visit Microsoft's real verification page and enter it.
3. The user follows the instructions and enters the code on a real Microsoft login page.
4. Because the user may already be signed into Microsoft in their browser, this step can complete silently; the act of entering the code is itself the authorizing action. No fresh sign-in or MFA prompt may appear. From the user's perspective, nothing unusual has happened.
5. Behind the scenes, this completes the authentication for the attacker's session. Microsoft issues a valid access token tied to the user's account and delivers it to the attacker's device.

At that point, the attacker has a valid token representing the user's identity and permissions, granting immediate access to the user's Microsoft 365 environment, Outlook, Teams, OneDrive, without any further authentication challenges.

‍

‍Why Doesn’t MFA Stop This:

This is the point where most people would expect a security control to step in, but the key takeaway is that MFA isn’t broken; it’s working exactly as designed. The problem: who benefits from the successful authentication.  

In this attack, the threat actor initiates the authentication session, and the user unknowingly completes it. Once the user signs in and completes MFA, Microsoft issues a valid token to the attacker’s device because, from the system’s perspective, the authentication was legitimate.

‍

Why This Matters More:

Traditional phishing focuses on stealing credentials, and most organizations have invested heavily in protecting against that. Kali365 shifts the focus to something more advanced by targeting the authentication process itself and using legitimate Microsoft workflows to gain access.

Because of this, the attack is significantly harder to detect using common indicators of compromise. Most security controls are designed to catch suspicious domains, fake login pages, or password harvesting attempts. In this case, none of those indicators are present.

From both the user’s perspective and the system’s perspective, nothing looks out of place. The login page is real, the authentication succeeds, and the system behaves as expected.  

Kali365 highlights a clear shift in attacker behavior. Detection can no longer rely solely on identifying suspicious activity. It now requires visibility into how legitimate authentication is being used, and whether that behavior aligns with what is actually expected.

‍

What Organizations Can Do:

Seeing how Kali365 targets legitimate sites and trusted authentication processes, security awareness has to evolve. For years, training has centered around avoiding suspicious links or fake websites. That guidance still matters, but it’s no longer enough when attacks like this lead users directly to real Microsoft login pages.

The focus now needs to shift from identifying what looks fake to questioning what feels unexpected. Context matters more than appearance.  

At the same time, organizations can reduce risk by limiting the attack surface itself. Microsoft offers Conditional Access policies that can restrict or block device code authentication, the same code-entry process described above. When this feature is not required for business operations, disabling it removes one of the primary entry points used in these attacks.

For Users:

The core habit to build is this: only authenticate when you started the process. If you are asked to enter a device code, password, or approve a login without a clear and expected reason, that's your signal to pause.

Good security decisions start with slowing down and thinking through the request before acting. That means:

1. Do not enter your password in situations you were not expecting
2. Do not approve login requests or enter device codes you didn't initiate
3. If you receive a password reset or authentication prompt you didn't request, pause and question it before taking action
4. Do not rely on appearance alone. A real login page doesn't always mean a legitimate request‍

‍The Bigger Takeaway:

Kali365 is a clear example of how attacker tactics evolve to keep pace with the defenses organizations put in place. Rather than working around existing protections, this approach turns those protections into the entry point.

Bringing this awareness to your team, encouraging users to slow down, and reinforcing the habit of questioning unexpected authentication requests can make the difference between normal activity and a compromised account.

If you're looking to better understand how to strengthen your cybersecurity posture while keeping your team productive, Blackink IT is here to help. Our team can walk you through practical, real-world strategies to reduce risk without slowing down your business operations.

‍

_{(1) OAuth is a system that lets you sign into one service using another account, like using “Sign in with Microsoft” or “Sign in with Google.” Instead of sharing your password, the system gives the app a temporary access token that proves you’ve already authenticated.}

_{(2) A token is a temporary digital pass from Microsoft that proves you’ve already signed in and are allowed to use apps like Outlook, Teams, or OneDrive. Instead of asking for your password over and over, Microsoft uses the token to recognize you and let you keep working.}

‍