1. Forum
  2. tqwNet
  3. TQW GENTECH

  • FBI warns of Kali phishing scam hitting Microsoft OAuth tokens w

    From TechnologyDaily@1337:1/100 to All on Mon May 25 21:45:28 2026
    FBI warns of Kali phishing scam hitting Microsoft OAuth tokens warns
    'Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures'

    Date:
    Mon, 25 May 2026 20:40:00 +0000

    Description:
    A new phishing kit is being offered on Telegram allowing even newbie hackers an easy way to grab OAuth tokens.

    FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter FBI flags Kali365, a phishing kit sold on Telegram which steals Microsoft 365 OAuth tokens and bypasses MFA Victims are tricked into entering device codes on legitimate Microsoft pages, unknowingly authorizing attacker access to Outlook, Teams, and OneDrive Mitigation steps include restricting device code flow, enforcing conditional access policies, auditing usage, and blocking authentication transfer
    policies The FBI has warned of a new phishing kit which lowers the barrier of entry and allows even low-skilled malicious actors an easy way to compromise peoples Microsoft 365 accounts.

    In a Public Service Announcement (PSA), Microsoft said that a new phishing kit, called Kali365, started making rounds on Telegram in April 2026. It is advertised as a simple way to obtain Microsoft 365 access tokens and bypass multi-factor authentication (MFA) without intercepting the users credentials. Through the Kali365 platform subscription, cyber threat actors can capture "OAuth" tokens and gain persistent access to targeted individuals/entities' Microsoft 365 environments, the FBI warned. Latest Videos From You may like Researchers discover dangerous new Bluekit phishing kit Microsoft flags major phishing campaign targeting 35,000 users across 26 countries This devious VENOM phishing campaign targets business executives by name so watch what
    you click on Capturing tokens The kit allows threat actors to send phishing emails that spoof trusted cloud productivity and document-sharing services. These emails also contain a device code with instructions to visit a legitimate Microsoft verification page and enter it. Victims that do as
    theyre told and paste in the device code are actually authorizing the attackers device to access their account, the FBI explained.

    They can then capture OAuth access and refresh tokens, gaining unabated
    access to Microsoft 365 accounts and all the services found inside, such as Outlook, Teams, and OneDrive.

    To mitigate the risk, users are advised to restrict device code flow, create
    a conditional access policy, audit existing code flow usage, and block authentication transfer policies. Users that cannot completely restrict
    device code flow usage are advised to exclude emergency access accounts to prevent lockouts.

    Phishing kits are platforms offered for a fee on the dark web, through which malicious actors can create entire phishing workflows. They include
    everything from templated email messages that spoof major brands, to fully-functional landing pages for capturing login credentials and MFA codes. Depending on the features used, they can be used for as little as $10 a
    month, going up to $1,000 and more. Are you a pro? Subscribe to our
    newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me
    with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over. The
    best antivirus for all budgets Our top picks, based on real-world testing and comparisons

    Read our full guide to the best antivirus 1. Best overall: Bitdefender Total Security 2. Best for families: Norton 360 with LifeLock 3. Best for mobile: McAfee Mobile Security Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/fbi-warns-of-kali-phishing-scam-hitting -microsoft-oauth-tokens-warns-kali365-lowers-the-barrier-of-entry-providing-le ss-technical-attackers-access-to-ai-generated-phishing-lures


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)