securitymicrosoftnewsanalysismfaphishing
trending_upTrend: security

FBI Warning: Kali365 Phishing Tool Bypasses Microsoft 365 MFA

calendar_month June 1, 2026

FBI Warning: Kali365 Phishing Tool Bypasses Microsoft 365 MFA

Summary

The FBI has issued an urgent warning regarding a new phishing tool named ‘Kali365’ that can bypass Microsoft 365 multi-factor authentication (MFA) by stealing session tokens. This allows attackers to gain full access to Outlook, Teams, and OneDrive without needing passwords or MFA prompts.

What happened?

  • New Tool Identified: The FBI identified Kali365 as an advanced phishing kit.
  • Token Theft: Instead of just phishing passwords, the tool intercepts session cookies (tokens) generated after a successful login.
  • MFA Bypass: Since the token represents an already authenticated MFA session, the attacker can use it to enter the account directly.
  • Affected Services: All Microsoft 365 services, including email and cloud storage, are at risk.

Why it matters

This development is critical because many organizations rely on MFA as their primary defense. When tools like Kali365 automate token theft, MFA alone becomes insufficient. it requires a shift toward phishing-resistant MFA methods (like FIDO2/Passkeys) and more robust monitoring of session activity.

Evidence

The warning was disseminated through official FBI channels and security news platforms like Redmondmag. IT communities such as Reddit are already actively discussing the impact and countermeasures.

Analysis

Kali365 exploits the vulnerability in browser session trust. It is an “Adversary-in-the-Middle” (AiTM) attack. The tool acts as a proxy between the user and the real Microsoft login page, intercepting communication and extracting the final session token. This renders traditional one-time passwords (OTP) or app confirmations useless, as these have already been entered by the legitimate user during the process.

Practical Takeaways

  • Enhance Monitoring: Administrators should watch for unusual login locations and concurrent sessions from different regions.
  • Shorten Token Lifetimes: Minimize the validity period of session tokens.
  • Phishing-Resistant MFA: Transition to hardware security keys (e.g., YubiKey) or Windows Hello for Business.
  • User Education: Raise awareness about AiTM phishing scenarios where the login page URL is slightly different.

Open Questions

  • How widespread is Kali365 already in active campaigns?
  • Will Microsoft implement short-term technical changes to token management to complicate this specific attack?

Sources

  1. Redmondmag: FBI Urges Microsoft 365 Defenders To Watch for Kali365 Phishing Attacks
  2. Reddit: Microsoft 365 PSA from the FBI
  3. Facebook: FBI WARNING ‼️ A new phishing tool can bypass Microsoft 365