Key Findings FBI issued public service announcement about Kali365, a phishing-as-a-service platform targeting Microsoft 365 users since April 2026 Platform bypasses multi-factor authentication by abusing OAuth device code authorization flows Kali365 lowers technical barriers for cybercriminals by providing AI-generated phishing lures, automated templates, and real-time tracking dashboards Captured OAuth tokens grant persistent access to Microsoft 365 accounts, enabling data t