Source: The Record — 22 May 2026
What we are tracking
The law enforcement agency published an advisory on Thursday about Kali365 — a Telegram-based service for cybercriminals that allows them to capture legitimate "OAuth" tokens enabling widespread access to Microsoft 365 environments.
RingSafe analysis
Kali365 is the latest entrant in a phishing-as-a-service category — alongside Tycoon 2FA, EvilProxy, and Storm-1167 — that has been hitting Indian IT-services, BPM, and SaaS exporters all year. The OAuth-token capture vector defeats SMS and TOTP MFA cleanly, which means any Indian M365 tenant still relying on Microsoft Authenticator-push or SMS is one click away from full mailbox, Teams, and SharePoint compromise. Map to MITRE ATT&CK T1566.002 (Spearphishing Link), T1528 (Steal Application Access Token), and OWASP API2 (Broken Authentication) at the OAuth consent layer. Action this week: enforce FIDO2 security keys for finance, HR, and any role with high-value mailbox flows; revoke and re-grant all non-essential OAuth app consents; alert on anomalous “Granted consent to application” entries in the M365 unified audit log. DPDP Section 8 breach-notification timer starts the moment a mailbox is read, not the moment you detect it.
Read the original report
FBI warns of Kali365 phishing-as-a-service after April Microsoft 365 attacks → at The Record
Get a free attack-surface review
We check what an attacker would see about your business — leaked credentials, exposed services, dark-web mentions. 30 minutes, no obligation.