- Kali365, also known as Octopi365 and Freedom365, is a sophisticated phishing-as-a-service platform that targets Microsoft accounts.
- The vulnerability was first discovered in May 2026 by security firm Huntress when it investigated a large number of Microsoft 365 logins originating from China.
- The FBI will issue a warning detailing this process as part of a public service announcement.
Phishing attacks are nothing new, with an estimated 3.4 billion malicious emails sent every day, accounting for a whopping 1.2% of all email traffic.
Google alone blocks approximately 100 million phishing emails every day. Attackers continue to evolve their approaches, using unique campaigns, AI-generated content, and more recently, QR codes to lure unsuspecting victims.
But a phishing-as-a-service toolkit recently discovered by cybersecurity firm Huntress stands out for its sophistication, scale, and success rate.
Sophisticated fishing services available for rent
What makes Kali365 unique compared to other products is the scale of its operations and the methodology it uses. Unlike most phishing operations, this tool includes over 33 built-in templates that impersonate Microsoft products and services, 100 API endpoints, and role-based access controls for phishing teams.
In addition to AI-enabled phishing, it also features an advanced payment pipeline, encrypted payment gateway integration, tiered access to a software suite, and an operator desktop application for those looking for a complete product.
However, Kali365 and its variants and clones (such as Octopi365 and Freedom365) do not directly compromise or bypass MFA. Instead, they use a series of very legitimate emails and calls to action to steal session cookies and OAuth tokens, granting access to the victim’s account.
The process itself is seamless. Potential victims see Microsoft’s website, SSL certificate, but no warning that they are effectively handing over access to the attacker. The attacker uses the authenticated token to access his account. The AI-generated decoys themselves are sophisticated, but as the FBI points out, they still involve phishing users via email, many of which are masquerading as “trusted cloud productivity and document sharing services.”
But a more egregious use of AI is to use Anthropic’s Claude AI model to read intercepted email threads, score them for likelihood of fraud, and craft a convincing reply message complete with fabricated banking details and a manufactured sense of urgency to be sent from the victim’s own mailbox.
While the FBI’s warning is valid, it also acknowledges to some extent that this is not a phishing attack that can be easily avoided, given its size, number of phishing attack vectors, and “legitimate” appearance compared to its competitors. Resolving this will require changes on Microsoft’s part to close the security loophole that allows such authentication forwarding, but for now, affected individuals can only report their experiences here.
Follow TechRadar on Google News and Add us as a preferred source Get expert news, reviews, and opinions in your feed.
