- Kali365 is a sophisticated phishing-as-a-service platform, also known as Octopi365 and Freedom365, that targets Microsoft accounts
- It was first detected by security firm Huntress in May 2026 when examining a slew of Microsoft 365 logins originating from China
- The FBI issues a warning detailing the process as part of a public service announcement
Phishing attacks are hardly new, with an estimated 3.4 billion malicious emails sent daily, accounting for a mammoth 1.2% of all email traffic.
Google alone blocks approximately 100 million phishing emails daily, as threat actors continue to evolve their approaches, using unique campaigns, AI-generated content, and, lately, QR codes to lure unsuspecting victims.
A recent phishing-as-a-service toolkit detected by cybersecurity company Huntress, however, stands out for its sophistication, scale, and success rate.
A sophisticated phishing service for hire
What makes Kali365 unique versus its peers is the scale at which it operates and the methods it uses. Unlike most phishing operations, it is a tool with at least 33 built-in templates that impersonate Microsoft products and services, 100 API endpoints, and role-based access control for phishing teams.
In addition to being an AI-enabled phishing, it also has a sophisticated payout pipeline, a crypto payment gateway integration, tiered access to the software suite, and, for those looking for a complete offering, a desktop application for operators.
Kali365 and its variants and clones, such as Octopi365 and Freedom365, do not, however, directly compromise or bypass MFA; instead, they use a set of highly legitimate emails and calls to action that then steal session cookies and OAuth tokens, allowing access to a victim’s account.
The process itself is seamless; a potential victim sees a Microsoft website, an SSL certificate, and no warnings that they are effectively handing over access to a bad actor, who then…
