The FBI has issued an urgent warning regarding the “Kali365” threat, a sophisticated campaign targeting users of Microsoft Teams, Outlook, and OneDrive. The advisory, released in mid-June 2026, details how attackers are leveraging malicious OAuth tokens to bypass multi-factor authentication (MFA), granting persistent access to sensitive enterprise data within the Microsoft 365 ecosystem.
The Mechanics of the Kali365 Token Hijack
Kali365 does not rely on traditional credential harvesting like phishing for passwords. Instead, it utilizes an “adversary-in-the-middle” (AiTM) technique to intercept session tokens. By deploying a proxy server that mirrors legitimate login portals, the threat actors capture the authentication handshake. Once the session token is generated, the attacker imports it into their own environment, effectively assuming the identity of the authenticated user.
This bypasses standard MFA because the session is already “validated” by the time the attacker holds the token. This is a critical departure from password-based attacks, as the National Institute of Standards and Technology (NIST) has previously warned that session-based persistence remains a primary weakness in modern cloud identity providers.
“The shift toward token-based persistence is the new frontier for automated exfiltration. If an attacker can grab the session cookie via a malicious proxy, the MFA prompt becomes a speed bump rather than a roadblock,” says Marcus Thorne, a lead cybersecurity architect at a global financial services firm.
Why Microsoft 365 Ecosystems are Prime Targets
The architectural design of Microsoft 365, which relies heavily on integrated API permissions, makes it a high-value target for lateral movement. Once an attacker gains access to a single account via Kali365, they can query the Microsoft Graph API to map the entire organization’s directory, identify high-value targets, and exfiltrate data from Teams chats or OneDrive repositories without triggering conventional “impossible travel” alerts.
The FBI advisory highlights that the campaign specifically targets the interconnected nature of these services. By compromising a user’s Outlook session, the attacker gains a foothold that automatically extends to Teams and OneDrive, essentially gaining a “master key” to the user’s digital workspace.
Comparative Risk Profile of Authentication Methods
| Authentication Method | Vulnerability to Kali365 | Mitigation Effectiveness |
|---|---|---|
| Standard SMS MFA | High | Low (Easily intercepted) |
| Authenticator App (Push) | Moderate | Medium (Susceptible to AiTM) |
| FIDO2/Hardware Keys | Very Low | High (Cryptographic binding) |
Mitigation Strategies for Enterprise IT
To combat this, security teams must move beyond basic MFA. The FBI recommends implementing “Conditional Access” policies that strictly enforce device compliance checks. By requiring that a device be managed via Microsoft Intune, organizations can ensure that only known, compliant hardware can hold active session tokens.
Furthermore, organizations should audit their OAuth application permissions. Threat actors often register malicious apps within the tenant to maintain persistence even after a password reset. Removing unused applications and restricting the ability of non-admin users to consent to third-party applications is essential.
“We are seeing a trend where attackers automate the registration of ‘shadow apps’ within the tenant. It’s an elegant, persistent back-door that bypasses the need for the user to ever log in again,” notes Elena Rodriguez, a senior cloud security researcher.
The 30-Second Verdict
The Kali365 threat is a reminder that identity is the new perimeter. If your organization relies solely on push-based MFA, you are potentially exposed to session hijacking. The immediate path to remediation is the migration to phishing-resistant authentication, specifically FIDO2-compliant hardware security keys (like YubiKeys) and strict Conditional Access policies that bind sessions to specific hardware IDs.
Security administrators should monitor logs for unusual “UserAgent” strings and IP addresses that do not align with known corporate egress points. The FBI’s warning serves as a catalyst for a broader shift toward “Zero Trust” architecture, where session validity is continuously re-evaluated rather than assumed upon initial login.
