{"id":220318,"date":"2026-05-26T11:35:00","date_gmt":"2026-05-26T15:35:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/26\/fbi-warns-about-phaas-platform-used-to-access-microsoft-365-environments\/"},"modified":"2026-05-26T11:45:13","modified_gmt":"2026-05-26T15:45:13","slug":"fbi-warns-about-phaas-platform-used-to-access-microsoft-365-environments","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/26\/fbi-warns-about-phaas-platform-used-to-access-microsoft-365-environments\/","title":{"rendered":"FBI warns about PhaaS platform used to access Microsoft 365 environments"},"content":{"rendered":"<p><a href=\"https:\/\/www.cybersecuritydive.com\/news\/fbi-warns-phishing-platform-microsoft-365\/821105\/\">FBI warns about PhaaS platform used to access Microsoft 365 environments<\/a><\/p>\n<p><a href=\"https:\/\/www.cybersecuritydive.com\/news\/fbi-warns-phishing-platform-microsoft-365\/821105\/\">https:\/\/www.cybersecuritydive.com\/news\/fbi-warns-phishing-platform-microsoft-365\/821105\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-26 11:35:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.cybersecuritydive.com\">www.cybersecuritydive.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n<p>The FBI is warning about a phishing-as-a-service platform, called Kali365, that allows hackers to access Microsoft 365 tokens and bypass multifactor authentication without a user\u2019s credentials.\u00a0<br \/>\nThe Kali365 platform subscription lets hackers access OAuth tokens and gain persistent access to the M365 environments of targeted organizations or individuals,\u00a0according to an FBI advisory released Thursday.<br \/>\nThe platform subscription serves as an entry point for less sophisticated attackers. The platform offers access to AI-generated phishing lures, dashboards to track targeted victims, automated templates and other benefits.\u00a0<\/p>\n<p>The attacks use phishing emails that impersonate trusted cloud productivity and document sharing services, the FBI said. The emails include a device code that tells the user to visit a legitimate Microsoft verification page, on which the user pastes in the code.\u00a0<br \/>\nThe hacker then can gain OAuth access and refresh tokens. This provides access to the Microsoft 365 account and various services, including Teams, Outlook and OneDrive.\u00a0<br \/>\nArctic Wolf researchers said the Kali365 infrastructure lowers the barrier to entry for potential attackers.\u00a0<br \/>\n\u201cBecause it leverages legitimate Microsoft infrastructure, the activity can appear normal to the victim, which makes it harder to detect,\u201d said Steven Campbell, staff threat intelligence researcher at cybersecurity firm Arctic Wolf. \u201cIn practical terms, this means an attacker doesn\u2019t need to build sophisticated tooling themselves. They can stand up a campaign quickly and at scale.\u201d<br \/>\nThe FBI warning comes about a month after a report by Arctic Wolf on an operation that used the Kali365 platform. Researchers said they have been tracking a widespread device code phishing campaign since early April.\u00a0<br \/>\nThe campaign originated mainly from a single IP address, operated in North America and Europe, the Middle East and Africa. The campaign\u2019s targets included manufacturing, education, insurance, financial, healthcare and government.<br \/>\nThe campaign uncovered by Arctic Wolf is similar to a separate device code phishing operation tracked by Huntress. Starting in February, the campaign targeted Microsoft 365 identities across more than 340 organizations in the U.S., Canada, Australia, New Zealand and Germany.\u00a0<\/p>\n<p>Attackers in that campaign weaponized Railway.com, a platform-as-a-service that was built for vibe coding. Railway was abused to develop on-demand credential harvesting infrastructure, according to Huntress.\u00a0<br \/>\nHuntress and Flare.io in March attributed the Railway attacks to the Evil Tokens phishing-as-a-service platform.\u00a0<br \/>\nResearchers at Proofpoint reported in December\u00a0how state-linked and criminal actors were using device-code phishing to gain access to Microsoft 365 accounts.\u00a0<br \/>\nA Microsoft spokesperson said security teams should follow guidance provided by the FBI. Microsoft also provided best practices advice about how to protect against scams.\u00a0<br \/>\nThe FBI declined to provide any additional comment beyond the alert.<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>FBI warns about PhaaS platform used to access Microsoft 365 environments https:\/\/www.cybersecuritydive.com\/news\/fbi-warns-phishing-platform-microsoft-365\/821105\/ Publish Date: 2026-05-26&#8230;<\/p>\n","protected":false},"author":1,"featured_media":220319,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/imgproxy.divecdn.com\/77cSuYhzgcWYOhoW_IX_ypXJzDT4abw9G9opztCvWTM\/g:nowe:0:0\/c:3000:1694\/rs:fit:770:435\/Z3M6Ly9kaXZlc2l0ZS1zdG9yYWdlL2RpdmVpbWFnZS9HZXR0eUltYWdlcy0yMTM2MzQxNjc1LmpwZw==.webp","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,24,35,25],"class_list":["post-220318","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-cybersecurity","tag-hacker","tag-phishing"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/220318"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=220318"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/220318\/revisions"}],"predecessor-version":[{"id":220320,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/220318\/revisions\/220320"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/220319"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=220318"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=220318"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=220318"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}