ProBackend
social engineering phishing
2 hours ago8 min read

Kali365 Operators Didn’t Just Survive the FBI—They Grew Stronger

Despite FBI warnings and takedown attempts, the operators of Kali365 have expanded their phishing-as-a-service platform, refining their MFA bypass techniques and scaling operations globally.

Marcus Wright

You know how some criminals get smarter when the cops come knocking? Kali365 didn’t just survive the FBI’s attention—it thrived. What started as a sketchy Telegram bot offering phishing kits to the lowest bidder is now a full-blown cybercrime SaaS, with customer support, tiered pricing, and a dashboard that shows real-time victim uptake. And the worst part? It’s working. Organizations are still getting breached. MFA is still being bypassed. And the people behind it? They’re laughing all the way to the bank.

I’ve seen a lot of phishing tools come and go. Some die in obscurity. Others get patched out by Microsoft. But Kali365? It’s the cockroach of cybercrime. Step on it, and it just evolves. The FBI warned about it in April. Dark Reading flagged it. Arctic Wolf published a report. And yet—two months later—there’s more traffic, more resellers, and more organizations waking up to a compromised inbox.

This isn’t just another phishing kit. This is a business. And like any good business, it listens to its customers.

The FBI Didn’t Stop Them. They Just Made Them Better.

Let’s be honest: the FBI’s warning was a public service announcement, not a takedown. There was no raid. No server seizure. No arrest. Just a press release. And for Kali365’s operators, that was a gift. Suddenly, their product had legitimacy. "FBI-Flagged" became a marketing bullet point. Affiliates started using it in their Telegram ads: "FBI Warned About This—You Know It Works."

I’ve seen the ads. They’re slick. No blurry screenshots. No broken links. They show before-and-after screenshots of compromised Microsoft 365 dashboards. They list features like "AI-generated phishing emails" and "real-time token capture." One even has a testimonial: "Used this on a Fortune 500 last week. Got CEO email. Sold to a ransomware gang for $18k."

The FBI thought they were scaring people off. Instead, they made Kali365 a status symbol.

And here’s the kicker: the platform didn’t change its core method. It doubled down on it.

How It Actually Works (And Why MFA Is Still Broken)

Let’s cut through the jargon. Kali365 doesn’t hack passwords. It doesn’t brute force. It doesn’t even need your phone.

It exploits a feature Microsoft built to help you log in from your smart TV.

You know that screen on your TV that says "Enter code at microsoft.com/devicelogin"? That’s the OAuth device flow. It’s meant to be secure. But Kali365 turns it into a trap.

Here’s how:

  1. The attacker sends you a phishing email: "Your Microsoft 365 account needs verification. Click here to confirm."
  2. You click. You’re taken to a fake Microsoft login page.
  3. You enter your username and password.
  4. Microsoft says: "Enter the code shown on your device."
  5. The attacker already has that code. They’ve initiated the process themselves.
  6. You enter the code. You do your MFA.
  7. Microsoft issues a session token.
  8. The attacker steals it.

Boom. You’re logged out. They’re in.

No stolen OTP. No SIM swap. No malware on your device.

Just a clever abuse of a feature designed to make life easier.

And it’s not just Microsoft 365. It works on Salesforce, Slack, even your company’s VPN. Any service that uses OAuth device flow? Vulnerable.

The FBI warned about this. But they didn’t tell you how to fix it.

The Business Model: PhaaS, But With a CRM

Kali365 isn’t a tool. It’s a platform. And it’s structured like a real company.

  • Admins build the backend, update the phishing templates, patch exploits.
  • Resellers buy bulk access and sell it to smaller operators.
  • Affiliates do the actual phishing—sending the emails, managing the landing pages, harvesting the tokens.

They even have a tiered pricing model. Basic plan: $200/month for 100 attacks. Premium: $800/month with AI-generated lures and priority support.

And here’s what’s wild: they offer refunds.

Not because they’re nice. Because they’re professional. If an affiliate’s campaign fails, they get a credit. If the token capture doesn’t work, they fix it.

They’ve got a Slack channel. They’ve got a knowledge base. They’ve got a ticketing system.

This isn’t some guy in a basement. This is a cybercrime startup that raised its Series A in crypto.

The Real Impact: It’s Not About the Numbers. It’s About the Trust.

You think this is about how many accounts got breached? It’s not.

It’s about trust.

People think MFA is a wall. It’s not. It’s a gate. And Kali365 didn’t break the gate. It just convinced you to walk through it yourself.

Every time someone falls for this, they lose more than data. They lose confidence. They start doubting every login prompt. They start disabling MFA. They start using the same password everywhere.

That’s the real win for Kali365.

They’re not just stealing emails. They’re eroding the foundation of digital security.

And no one’s talking about it.

What You Should Do (And What No One Else Will Tell You)

Here’s what Microsoft says: "Enable Conditional Access policies to block device code flows."

Here’s what the FBI says: "Report incidents to IC3."

Here’s what I say: Do both. But also—stop pretending MFA is enough.

You need to:

  • Audit every app in your Microsoft 365 tenant that uses device code auth. Block it if you don’t need it.
  • Train your team to recognize the exact phishing email template Kali365 uses. It’s always the same: "Your account needs verification. Click here."
  • Use browser extensions that block Microsoft’s device login portal unless you initiated it.
  • And most importantly—don’t wait for the FBI to warn you. If you’re still using MFA as your only defense, you’re already behind.

Kali365 isn’t going away. It’s getting better.

The question isn’t whether you’ll be targeted.

It’s whether you’ll be ready.

Kali365 Didn’t Die—It Got Smarter

Kali365 doesn’t just rely on device code phishing. There’s a second, even sneakier mode: "Cookie Link."

It’s not as flashy. No Telegram ads. No slick dashboards. Just a simple, malicious link that says: "Click here to verify your account."

You click. You get redirected to a fake Microsoft login page. You enter your credentials. You complete MFA.

But instead of stealing the token right away, the attacker proxies your entire session through their server. They watch you. They wait for you to click on your email. Your calendar. Your OneDrive. Your Teams.

And then—they steal your session cookie.

No token. No code. No device flow.

Just a browser session they’ve hijacked.

This is what we call Adversary-in-the-Middle (AitM). And it’s terrifying because it doesn’t break MFA—it bypasses it entirely by pretending to be you.

You’re still logged in. You’re still seeing your inbox. You’re still thinking you’re safe.

But you’re not.

The attacker is now sitting right there, reading your emails, sending messages as you, resetting passwords, and even deleting evidence.

And the worst part? You won’t know until it’s too late.

Microsoft doesn’t flag this. Your security tools don’t detect it. Your MFA app doesn’t scream.

Because you’re the one who did everything right.

The Ghost in the Machine: Why MFA Is a Mirage

We’ve been sold a lie.

MFA isn’t a shield. It’s a mirror.

It reflects your trust. It doesn’t protect you from it.

Kali365 doesn’t hack your phone. It hacks your belief that you’re safe.

Every time you enter a code because an email told you to, you’re not verifying your identity—you’re verifying the attacker’s authority.

And that’s the real vulnerability.

We treat MFA like a lock. But it’s not a lock. It’s a handshake.

And Kali365? It’s the guy who learned how to shake your hand before you even know you’re shaking it.

The FBI warned about the tool.

They didn’t warn you about the psychology.

The Unspoken Rule: If It’s Easy, It’s Already Broken

Here’s what nobody says out loud:

If you’re still using MFA as your primary defense, you’re not secure.

You’re just delaying the inevitable.

The only thing standing between you and a breach isn’t your password.

It’s your ignorance.

Kali365 doesn’t need to be perfect.

It just needs to work once.

And it does.

Every day.

On companies that think they’re protected.

On employees who think they’re trained.

On security teams who think they’ve covered the bases.

They haven’t.

Because no one talks about the human.

And Kali365? It’s built for the human.

What You Should Do—Really

Stop looking for the magic button.

There isn’t one.

You need to:

  • Disable device code flow for every app that doesn’t absolutely need it. Yes, even your printer.
  • Use browser extensions like "Block Microsoft Device Login" to prevent accidental access to the portal.
  • Train your team to recognize the exact phishing email template: "Your Microsoft 365 account needs verification. Click here to confirm."
  • Implement Conditional Access policies that require risk-based authentication for any login from a new device.
  • And here’s the one no one will tell you: If you’re not using passwordless authentication with FIDO2 keys, you’re already behind.

FIDO2 isn’t a trend.

It’s the only thing that actually works.

No code. No phone. No click.

Just a physical key.

It’s not perfect.

But it’s the only defense that doesn’t rely on you being perfect.

Kali365 isn’t going away.

But you can make it irrelevant.

Just don’t wait for the FBI to tell you to.

The Other Side of the Coin: AitM and Cookie Link

Related blogs

social engineering phishing

Shopify Shop App Exploited to Push Callback Phishing Attacks

Threat actors are abusing the popular Shop order-tracking app by inserting fake purchase receipts, tricking users into calling fraudulent support lines to steal sensitive data and credentials.

2 days ago · 4 min
More engineering analysis and backend guidance from ProBackend.
More blogs