
Kali365 Phishing Kit Bypasses MFA to Target Microsoft 365 Accounts
The FBI warns of Kali365, a phishing-as-a-service kit that bypasses multi-factor authentication by tricking victims into approving a device-code sign-in, enabling attackers to harvest OAuth tokens and access Outlook, Teams, and OneDrive; security guidance includes never entering unsolicited device codes, navigating directly to Microsoft rather than using links, monitoring sign-ins and devices, revoking suspicious sessions, keeping MFA enabled, and reporting incidents.




