Meet Kali365 — the 'Amazon of cybercrime' where hackers use AI to completely circumvent multi-factor authentication

Kali365 is a sophisticated phishing-as-a-service platform, also known as Octopi365 and Freedom365, that targets Microsoft accounts

It was first detected by security firm Huntress in May 2026 when examining a slew of Microsoft 365 logins originating from China

The FBI issues a warning detailing the process as part of a public service announcement

Phishing attacks are hardly new, with an estimated 3.4 billion malicious emails sent daily, accounting for a mammoth 1.2% of all email traffic.

Google alone blocks approximately 100 million phishing emails daily, as threat actors continue to evolve their approaches, using unique campaigns, AI-generated content, and, lately, QR codes to lure unsuspecting victims.

A recent phishing-as-a-service toolkit detected by cybersecurity company Huntress, however, stands out for its sophistication, scale, and success rate.

A sophisticated phishing service for hire

What makes Kali365 unique versus its peers is the scale at which it operates and the methods it uses. Unlike most phishing operations, it is a tool with at least 33 built-in templates that impersonate Microsoft products and services, 100 API endpoints, and role-based access control for phishing teams.

In addition to being an AI-enabled phishing, it also has a sophisticated payout pipeline, a crypto payment gateway integration, tiered access to the software suite, and, for those looking for a complete offering, a desktop application for operators.

Kali365 and its variants and clones, such as Octopi365 and Freedom365, do not, however, directly compromise or bypass MFA; instead, they use a set of highly legitimate emails and calls to action that then steal session cookies and OAuth tokens, allowing access to a victim's account.

The process itself is seamless; a potential victim sees a Microsoft website, an SSL certificate, and no warnings that they are effectively handing over access to a bad actor, who then uses their authenticated token to access their account. The AI-generated lures themselves are sophisticated, but as the FBI points out, they still require a user to be phished via email, with many impersonating "trusted cloud productivity and document-sharing services."

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The more damning use of AI, however, is where Anthropic's Claude AI model is used to read intercepted email threads, score them for fraud potential, and draft convincing reply messages, complete with fabricated banking details and a manufactured sense of urgency, to be sent from the victim's own mailbox.

While the FBI's warning stands, it also somewhat acknowledges that this is not an easy phishing attempt to avoid, given the scale, the multitude of phishing attack vectors, and the "legitimate" look it has compared to most of its competition. Resolving this would require a change on Microsoft's end to close security loopholes that enable such authentication transfers, but for now, any affected individuals can only report their experiences here.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Rahim Amir is a UAE-based tech writer who enjoys building PCs as much as he enjoys writing about them. He has been professionally writing about PC hardware since 2023, focusing on buyer’s guides, hardware reviews, and sponsored content and features related to tech.

Having built hundreds of gaming PCs and being an avid gamer in his spare time, Rahim tends to have stronger opinions about hardware than most. This is particularly on display when he gets his way with powerful, but minimalistic RGB builds even as Small Form Factor (SFF) PCs come a close second.