After stealing access to a Microsoft 365 account, the platform reads the victim's email threads with AI, scores them for fraud potential, and sends convincing payment requests to colleagues, all from the victim's legitimate address.

 

What happened

Kali365, a phishing-as-a-service platform first detected in May 2026 and also operating under the names Octopi365 and Freedom365, has expanded well beyond credential theft into AI-assisted business email compromise (BEC) that uses the victim's own mailbox to defraud their colleagues. According to TechRadar, once an attacker captures a victim's Microsoft 365 OAuth token through device code phishing, Kali365 deploys Claude, Anthropic's AI model, to read the hijacked email threads, identify conversations with fraud potential, and draft reply messages containing fabricated banking details and manufactured urgency. Those messages are sent from the victim's own account, meaning recipients see a legitimate sender address, a real email thread, and a contextually appropriate request. The platform was first detected by security firm Huntress while investigating a cluster of Microsoft 365 logins originating from China.

 

Going deeper

Kali365 is structured as a tiered commercial operation rather than a simple phishing kit. According to TechRadar, it includes at least 33 built-in templates impersonating Microsoft products and services, 100 API endpoints, role-based access control for phishing teams, a cryptocurrency payment gateway, a sophisticated payout pipeline, and a desktop application for operators. The platform provides tiered subscription access, allowing low-skilled operators to run advanced campaigns without building any infrastructure themselves. The device code authentication method Kali365 exploits was designed for devices that cannot support a standard login, such as smart TVs, printers, and conference room systems. Attackers generate a device code, send it to the victim through a phishing email impersonating a trusted Microsoft service, and when the victim enters the code at Microsoft's legitimate device login portal, the attacker's session receives a valid OAuth token without ever needing the victim's password or MFA code. That token then persists, giving the attacker ongoing access to Outlook, Teams, OneDrive, and every other Microsoft 365 application the victim uses.

 

What was said

The FBI stated in its May 2026 public service announcement that "Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual and entity tracking dashboards, and OAuth token capture capabilities." TechRadar reported that the platform's use of Claude to analyze intercepted email threads and generate contextually appropriate fraud messages represents a meaningful escalation beyond the initial access phase, turning a compromised mailbox into an automated fraud engine operating invisibly inside the victim organization's own communications.

 

In the know

The Claude-assisted BEC capability is the most operationally dangerous element of Kali365 because it addresses the traditional weakness of business email compromise at scale. Standard BEC requires attackers to manually read email threads, understand organizational context, identify the right targets, and craft believable requests, work that limits how many simultaneous campaigns an operator can run. AI automation removes those constraints. According to Infosecurity Magazine, Kali365 provides persistent access to compromised Microsoft 365 environments, meaning the AI-driven BEC phase can run continuously against an organization's entire email history without the attacker needing to remain actively engaged. Researchers found captured OAuth access and refresh tokens enabled immediate mailbox access and post-compromise activity, with attackers in some cases establishing malicious inbox rules to suppress security notifications and extend their dwell time undetected.

 

The big picture

Healthcare organizations are a natural target for the BEC phase of this attack chain. Clinical and administrative staff conduct high-value financial transactions through email vendor payments, insurance reimbursements, payroll adjustments, and equipment purchases, and they do so with colleagues they trust. A message arriving from a known physician's or administrator's Microsoft 365 address, replying to a real email thread, requesting a payment change or wire transfer, carries a credibility that no external phishing email can match. According to Paubox's 2026 Healthcare Email Security Report, 53 percent of breached healthcare organizations in 2025 used Microsoft 365, making the platform that Kali365 specifically targets the dominant email environment across the sector. An AI model reading a healthcare executive's email thread and drafting a contextually accurate payment request to the finance department is not a theoretical risk it is a direct extension of what this platform now does operationally.

 

FAQs

What makes Kali365's BEC capability different from standard business email compromise?

Standard BEC requires attackers to manually review email threads, understand the organization's structure, and craft believable requests one at a time. Kali365 uses AI to automate that entire process at scale, reading captured email threads, identifying fraud opportunities, and drafting replies automatically. An attacker can run simultaneous campaigns across many compromised accounts without the manual effort that previously limited BEC operations.

 

Why does sending fraudulent messages from the victim's own account make them so much harder to detect?

Email security tools assess sender reputation, domain authentication, and known-bad addresses. A message sent from a legitimate Microsoft 365 account that passes DMARC, DKIM, and SPF checks, arrives in a real thread, and comes from a recognized colleague produces no security alerts. Recipients have no technical signal to distinguish it from a genuine message; only the content itself provides any warning.

 

What does an OAuth token give an attacker once captured?

An OAuth token is an authentication credential that grants access to Microsoft 365 services without requiring a password or MFA challenge. With a valid token, an attacker can read and send email, access files in OneDrive and SharePoint, join Teams conversations, and interact with any application connected through Microsoft single sign-on, all appearing as the legitimate account holder.

 

How does the role-based access control in Kali365 affect how it operates?

Role-based access control means different members of a Kali365 operation have defined responsibilities; some manage campaigns, others handle token capture, others monitor targets. This mirrors legitimate software operations and allows the platform to scale with multiple operators working simultaneously without any single person having visibility into the full operation, reducing the risk of exposure if one operator is compromised.

 

What is the most effective control against this specific attack chain?

Blocking device code authentication flows through Conditional Access policies in Microsoft Entra prevents the token capture step that enables everything that follows. Without a valid OAuth token, the attacker cannot access the mailbox, cannot read email threads, and cannot send fraudulent messages from the victim's account. Implementing this control removes the foundation on which the entire Kali365 operation depends.