Kali365 Phishing-as-a-Service: FBI Warns of New M365 Credential Theft Tool

Show Notes

The FBI is warning about Kali365, a new phishing‑as‑a‑service tool designed to steal Microsoft 365 credentials and enable account takeovers at scale. In this episode, we break down how it works, why it’s so effective, and what your SOC can do right now to detect and defend against it.

 🎧 Tune in now at secureafpodcast.com

Watch full episodes at youtube.com/@aliascybersecurity.
Listen on Apple Podcasts, Spotify and anywhere you get your podcasts.

Transcript

SPEAKER_00 0:03

Good morning, good afternoon, or good evening, whenever you may be, and welcome to another episode of the SOC Brief. This is your go-to podcast for staying ahead of the ever-evolving world of soccer security threats. I'm your host Andrew, and today we're going to discuss a new phishing as a service platform that the FBI has publicly warned about, and that is Cali365. So this service is specifically designed to steal Microsoft 365 credentials and is being actively marketed to other criminals. We'll discuss what Cali365 is, how it works, why it poses a serious risk to organizations, and some practical steps your SOC can take to detect and defend against these attacks before they lead to account takeovers or larger incidents. So Cali365 is a relatively new phishing kit that has gained traction in a lot of underground forums. It provides attackers with a ready-made phishing page that closely mimics legitimate Microsoft 365 login portals. The service allows even low-skilled criminals to launch convincing credential harvesting campaigns against any M365 user. The FBI issued a formal warning in early of April this year, highlighting that the platform is being used to target organizations across multiple sectors. So how does this attack actually work? Attackers are sending phishing emails or messages that direct victims to a fake login page. Once the victim enters their credentials, Cali365 captures them in real time. In some configurations that they've seen, it can also attempt to bypass certain multi-factor authentication methods by relaying the session or using adversary in the middle techniques. After successful theft, the stolen accounts can be used for business email compromise, data exfiltration, or just as a foothold for ransomware deployment. And this method is easily accessible and has been pretty effective for them so far. Microsoft 365 is the backbone of productivity for millions of organizations, so successful compromise can give attackers access to email, files, team chats, and even administrative controls. The service lowers the technical barrier, meaning that more criminals can run these campaigns at scale. For SOCS specifically, this translates into more phishing alerts, higher risk of credential-based attacks, and the potential for rapid lateral movement once an account is taken over. For detecting this attack, we should be tuning email security gateway and EDR to look for suspicious login patterns from unfamiliar locations or devices, especially those involving Microsoft 365 services. And that is an instance where a SIM really comes in handy. Also, we need to be monitoring for spikes in failed or successful logins from new IP addresses, unusual OAuth consent requests, or anomalous activity in Microsoft Enter-ID logs. You can look for known IOCs that the FBI and some security researchers have shared. And those include specific phishing domains and URL patterns associated with the Callic 365. From there, make sure you're blocking and quarantining high-risk email attachments and links at your gateway. Make sure you're enforcing conditional access policies in Microsoft 365 and require MFA and trusted locations. Use application allow listing where possible to limit what can run on endpoints. For proactive hunting, go through your Microsoft 365 audit logs and enter ID sign-in reports for anomalous activity. You can integrate threat intelligence feeds for Cali 365 IOCs, and that way you can get early warnings about any new campaigns that are popping up. Run regular credential stuffing tests against your own environment just to see if any leaked accounts are being reused. The bottom line here is that this Cali 365 activity shows that attackers are making credential theft easier and more scalable than ever. Socks that monitor M365 closely and force strong conditional access and hunt for phishing indicators can really stop these attacks before they can escalate. Here's some closing thoughts and a call to action. The FBI's warning about Cali 365 is a signal that phishing as a service tools are becoming more sophisticated and accessible. SOCs have to stay vigilant with monitoring, enforced layer defenses in Microsoft 365, and keep your teams informed. These steps can help significantly reduce the risk of credential theft and follow-on attacks. So this week, review your Microsoft 365 conditional access policies and run one quick hunt for anonymous sign-ins in your environment. And that's a wrap for this episode of the Stock Brief. Have questions or your own Cali 365 stories? Hit us up on social media or via our website. Keep your eyes open, keep sharpening those skills, and we'll talk soon. As always, stay secure out there. Bye.