The FBI has issued a warning about Kali365, a new Phishing-as-a-Service platform enabling attackers to steal Microsoft 365 OAuth tokens and bypass MFA. This platform lowers the barrier for cybercriminals, providing AI-generated lures and automated campaign tools.

Users are advised to restrict device code flow and implement conditional access policies to protect their accounts.