If multi-factor authentication is supposed to protect your business, why are attackers still getting in?
That is the question many business leaders are asking after the FBI issued a warning about a new phishing platform called Kali365. The attack does not rely on stealing passwords. Instead, it abuses trusted authentication processes to gain access to Microsoft 365 environments while bypassing traditional security expectations.
For organizations that rely heavily on Microsoft 365 for email, collaboration, and cloud storage, this is an important reminder that modern attacks are evolving faster than many security strategies.
So what exactly happened?
According to a recent FBI warning and reporting by CSO Online, cybercriminals are using a phishing-as-a-service platform called Kali365 to compromise Microsoft 365 accounts by stealing OAuth access tokens rather than passwords. The platform allows attackers to bypass multi-factor authentication (MFA) and gain persistent access to user accounts.
You can read the original report here:
https://www.csoonline.com/article/4176464/fbi-warns-of-kali-oauth-stealers.html
The attack typically begins with a phishing email that appears to come from a trusted cloud service. The victim is instructed to visit a legitimate Microsoft authentication page and enter a device code. Unfortunately, that code authorizes the attacker's device rather than the user's own device. Once approved, attackers receive OAuth tokens that provide access to Microsoft services such as Outlook, OneDrive, and Teams.
The dangerous part is that the victim may successfully complete MFA and still lose control of their account.
Why is this attack different from traditional phishing?
Historically, phishing attacks focused on stealing usernames and passwords. Security teams responded by implementing MFA.
Kali365 targets something different.
Instead of stealing credentials, attackers capture authentication tokens that are issued after successful authentication. Because the attacker is using a legitimate Microsoft process, many traditional security controls may not immediately recognize the activity as malicious.
This reflects a broader trend in cybercrime where attackers increasingly abuse trusted systems rather than exploit obvious vulnerabilities.
Could this happen even if we already have EDR?
Yes.
Endpoint Detection and Response (EDR) platforms remain valuable, but many modern attacks are specifically designed to avoid triggering traditional detection mechanisms.
In a Kali365 attack, the user willingly completes the authentication process. No malware may be dropped. No password may be stolen. No obvious malicious executable may run on the endpoint.
The attacker simply abuses authorized access.
This highlights a growing challenge for organizations that rely primarily on "Detect and Respond" strategies. By the time suspicious activity is identified, attackers may already have access to sensitive emails, documents, financial records, and business communications.
Why should business leaders care?
Because the consequences extend far beyond an IT problem.
A successful account compromise can lead to:
- Financial losses from fraud, ransomware deployment, or business email compromise
- Operational disruption caused by locked accounts or compromised cloud services
- Reputational damage when customer or partner information is exposed
- Compliance and regulatory exposure if sensitive data is accessed
- Lost employee productivity during investigation and recovery efforts
The financial impact alone can be significant.
According to IBM's 2025 Cost of a Data Breach Report, the global average cost of a data breach reached approximately $4.44 million.
Meanwhile, Verizon's Data Breach Investigations Report found that credential abuse remains one of the leading initial access methods in breaches and that ransomware was present in 44% of breaches studied.
Those numbers demonstrate that cyber incidents are no longer rare events. They are business risks that require executive attention.
Why are traditional defenses struggling?
The reality is that many security programs still assume attacks will be detected before damage occurs.
Unfortunately, attackers have adapted.
They increasingly use:
- Credential abuse
- OAuth token theft
- Living-off-the-land techniques
- Legitimate administrative tools
- Cloud service abuse
- Security tool evasion
Kali365 is a perfect example. The attack does not necessarily break into a system. Instead, it convinces users to grant access through legitimate processes.
That makes detection more difficult and response more challenging.
What is changing in endpoint security?
Many organizations are beginning to recognize that detection alone cannot be the primary defense strategy.
The security conversation is increasingly shifting toward prevention through Isolation and Containment.
The goal is simple:
Instead of waiting to identify malicious activity after it begins, organizations seek to prevent unauthorized actions from executing in the first place.
This approach focuses on:
- Preventing unauthorized applications from running
- Restricting risky behaviors before execution
- Limiting attacker movement across systems
- Containing threats to reduce blast radius
- Preventing ransomware encryption before it starts
- Reducing dependence on rapid detection and human response
This philosophy recognizes a practical reality: every security control eventually fails. The organizations that suffer the least damage are often those that limit what attackers can do after gaining access.
What role does AppGuard play in this approach?
One example of this prevention-focused strategy is AppGuard, a proven endpoint protection solution with a 10-year track record focused on prevention through Isolation and Containment.
Rather than relying primarily on identifying malicious files or behaviors after they appear, AppGuard focuses on restricting unauthorized activity and preventing attackers from executing the actions needed to establish persistence, move laterally, or deploy ransomware.
The broader lesson is not about any single product. It is about recognizing that prevention must become a larger part of modern cybersecurity strategy.
What Should Businesses Do Next?
Business leaders should assume that phishing emails, credential theft attempts, and authentication abuse campaigns will continue to evolve.
Practical steps include:
- Assume detection will fail at some point
- Add prevention-focused security layers
- Reduce unnecessary endpoint execution freedom
- Review Microsoft 365 authentication policies
- Restrict device code authentication where possible
- Test incident response and recovery procedures
- Segment critical systems and sensitive data
- Review third-party access permissions
- Audit OAuth applications and token usage
- Conduct regular phishing awareness training
- Validate security controls through tabletop exercises
Most importantly, organizations should evaluate whether their current security strategy is built primarily around detecting attacks or preventing damage.
The difference matters.
Kali365 demonstrates that attackers no longer need passwords to compromise accounts. In many cases, they only need users to trust the wrong request.
That reality makes prevention, isolation, and containment more important than ever.
Business owners who want to better understand how prevention-first security can stop attacks before damage occurs should talk with CHIPS about how AppGuard can help prevent incidents like this through Isolation and Containment.
Like this article? Please share it with others!
