Is multi-factor authentication enough? Kali365 breach fuels security debate

Cybercriminals are increasingly targeting active sessions instead of passwords, and Kali365 is emerging as one of the clearest examples, indicating that even MFAs are not safe anymore

For years, multi-factor authentication (MFA) has been one of the most widely recommended safeguards against account compromise. The logic was simple: even if attackers obtained a user's password, they would still need access to a second verification factor to gain entry.

 

However, a phishing kit known as Kali365 is drawing attention because it targets something beyond passwords and authentication codes.

 

The US Federal Bureau of Investigation (FBI) has warned that Kali365, a phishing-as-a-service (PhaaS) platform, is being used to compromise Microsoft 365 accounts by capturing authentication tokens after users have already completed MFA verification. Rather than stealing credentials directly, the toolkit hijacks authenticated sessions, allowing attackers to access services such as Outlook, Teams and OneDrive as legitimate users.

 

 

The technique reflects a broader shift in cyberattacks, with threat actors increasingly targeting active sessions instead of login credentials.

 

The risks extend beyond a single account. Since Microsoft 365 often serves as a gateway to corporate email, files and business applications, a compromised session can provide access to sensitive data and internal communications.

 

Although the FBI first warned about Kali365 in May, the phishing kit has attracted renewed attention in recent weeks as researchers revealed more details about its operations and concerns grew around the increasing use of token-theft and session-hijacking techniques.

What is Kali365

In a recent public service announcement, the FBI's Internet Crime Complaint Center (IC3) described Kali365 as an "emerging phishing-as-a-service (PhaaS) platform" that first appeared in April 2026.

 

According to the agency, the toolkit is distributed primarily through Telegram and is designed to help attackers access Microsoft 365 accounts by stealing authentication tokens, thereby bypassing MFA protections.

 

Phishing-as-a-service refers to a criminal business model in which developers provide ready-made phishing tools and infrastructure to other cybercriminals for a fee.

 

The FBI said Kali365 offers features such as AI-generated phishing lures, automated campaign templates, real-time tracking dashboards and OAuth token-capture capabilities. It effectively packages sophisticated phishing tools into a subscription-based service.

 

Cybersecurity publication BleepingComputer, citing research from Arctic Wolf, reported that Kali365 operates much like a business. The platform has developers who maintain the service, resellers who market it and affiliates who launch phishing campaigns.

 

Researchers said the toolkit supports multiple attack methods, including techniques capable of capturing session cookies and authentication tokens even after a user has completed MFA verification.

 

Authentication tokens are digital credentials issued after a user successfully signs in. They allow users to remain logged in without repeatedly entering passwords or completing MFA checks. If attackers obtain these tokens, they can access an account as though they were the legitimate user, even without knowing the password.

 

According to security researcher Graham Cluley, writing on Bitdefender's Hot for Security blog, access to Kali365 is reportedly available through a subscription model priced at around $250 a month or $2,000 a year.

 

Researchers also reported that hundreds of attacks linked to the toolkit were observed across North America and Europe within weeks of its emergence.

 

How the scam works

 

What makes Kali365 different from conventional phishing campaigns is that it does not focus on stealing passwords. Instead, it tricks users into authorising access to their accounts and then captures the authentication tokens that Microsoft issues after a successful login.

 

According to the FBI, the attack generally follows four stages:

 

Lure: The attack begins with a phishing email designed to resemble a legitimate notification from Microsoft or another trusted cloud service. The email asks the user to complete a sign-in process and provides a unique device code. Unlike many phishing scams, victims are not directed to a fake website. Instead, they are instructed to visit a genuine Microsoft verification page, making the request appear legitimate.

 

Authorisation: Once on the Microsoft page, the user enters the device code and signs in with their account. If MFA is enabled, they may also complete the additional verification step. At this stage, the victim believes they are simply logging into a service, but they are actually granting the attacker's device permission to access the account.

 

Token theft: After the login is approved, Microsoft issues authentication tokens that prove the user has successfully signed in. These tokens allow services such as Outlook, Teams and OneDrive to recognise the user without repeatedly requesting a password. Kali365 is designed to capture these tokens, giving attackers the same level of access as the legitimate user.

 

Persistence: With the stolen tokens, attackers can continue accessing Microsoft 365 services even though they never learned the user's password. Because the tokens indicate that MFA has already been completed, attackers can often bypass additional authentication prompts and retain access until the tokens expire or are revoked.

 

How widespread is this technique and is Kali365 unique

 

Kali365 is more like a broader trend rather than a one-off threat. According to reporting that cited researchers from cybersecurity firm Proofpoint, multiple device-code phishing kits with nearly identical tactics were observed within a span of just 10 days. Researchers noted that many of these campaigns appeared highly automated and likely generated with the help of AI, suggesting that adoption of the technique is growing rapidly among cybercriminal groups.

 

The same report noted that device-code phishing attacks were already being used to compromise Microsoft 365 accounts before Kali365 emerged. In December, researchers documented cases involving both state-backed threat actors and financially motivated cybercriminals using similar methods to gain access to accounts.

 

Further evidence of the trend came from researchers at Huntress and Flare.io, who earlier this year linked a separate wave of attacks to another device-code phishing platform known as "Evil Tokens." The findings suggest that Kali365 is not an isolated tool but part of a growing ecosystem of phishing services designed to steal authenticated sessions rather than passwords.

 

Is MFA losing effectiveness

 

Multi-factor authentication (MFA) remains one of the most effective defences against account takeovers because it can stop attackers who have obtained a user's password from gaining access. In that sense, MFA is still doing the job it was designed to do.

 

The challenge highlighted by Kali365 is different. Instead of trying to crack or bypass MFA, attackers wait for the legitimate user to complete the authentication process themselves. Once the user has successfully signed in and verified their identity, the attackers steal the authentication tokens generated during that session. Those tokens can then be used to access the account without needing the password or another MFA prompt.

 

Security experts therefore argue that the issue is not that MFA is broken, but that cybercriminals are increasingly targeting parts of the authentication process that occur after MFA has already been completed. This broader trend is reflected in industry research.

 

According to cybersecurity firm SentinelOne, which cited findings from the 2025 Verizon Data Breach Investigations Report (DBIR), MFA-fatigue attacks accounted for 14 per cent of analysed security incidents involving MFA bypass. In those attacks, users are bombarded with authentication requests until they eventually approve one.

 

Device-code phishing, the technique used by Kali365, works differently. Rather than overwhelming users with prompts, it abuses a legitimate Microsoft authentication workflow to obtain access that the user unknowingly authorises. 

 

The shift from passwords to 2-factor authentication to passkeys

 

The way people secure their online accounts has changed over time as cyberattacks have become more sophisticated. For years, passwords were the first line of defence. But passwords alone proved insufficient because they could be guessed, stolen in data breaches, reused across multiple websites or captured through phishing scams.

 

To strengthen account security, companies introduced two-factor authentication (2FA), also known as multi-factor authentication (MFA). This added an extra verification step, such as a one-time code, an authenticator app notification or a biometric check. Even if a password were compromised, attackers would still need a second factor to gain access.

 

However, cybercriminals have adapted. Instead of focusing solely on passwords, many now target the login process itself through phishing campaigns, MFA fatigue attacks and token theft. Tools such as Kali365 are part of this shift, allowing attackers to take advantage of authenticated sessions rather than stealing credentials directly.

 

As a result, technology companies are increasingly promoting passkeys as the next step in account security. Passkeys allow users to sign in using a fingerprint, face scan or device PIN, without relying on traditional passwords. Because they are linked to a specific device and website, they are considered more resistant to phishing attacks.

 

The growing attention around Kali365 highlights why this transition is underway. The challenge is no longer just preventing password theft but ensuring that attackers cannot misuse the trust established after a user has successfully logged in. 

 

What organisations can do now

 

The emergence of Kali365 is prompting organisations to look beyond traditional account-security measures. While multi-factor authentication remains an important safeguard, the attack demonstrates how cybercriminals are increasingly targeting authenticated sessions and access tokens rather than passwords themselves. As a result, security teams may need to strengthen protections around the entire login process, not just the initial sign-in.

 

In its advisory, the FBI outlined several measures to limit the attack techniques used by the phishing kit and reduce the chances of unauthorised access to Microsoft 365 accounts. These include:

• Restrict device code authentication: According to the FBI, organisations should consider blocking or limiting device code authentication wherever possible. This is the login method that Kali365 exploits to trick users into granting access to their accounts.

• Review existing usage before making changes: Before restricting device code authentication, companies should identify which applications, devices or workflows rely on it. This helps avoid disrupting legitimate services, such as conference-room systems and shared workplace devices.

• Limit authentication-transfer features: The FBI also recommends restricting features that allow users to transfer authentication between devices. These workflows can create additional opportunities for attackers to exploit legitimate login processes.

• Maintain emergency-access accounts: Organisations should ensure that emergency or break-glass accounts remain available and are excluded from broad restrictions. This can help administrators regain access if normal authentication systems become unavailable.

• Strengthen phishing defences: The FBI further points organisations to guidance from the US Cybersecurity and Infrastructure Security Agency (CISA), which recommends employee awareness training, phishing detection measures and stronger identity-security controls.