Kali365 phishing kit bypasses MFA and steals Microsoft logins — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 27, 2026

Severity: CRITICAL | View Full Scam Details

Kali365 Phishing Kit Scam in 2026: How It Bypasses MFA and Steals Microsoft Logins in India

A dangerous new phishing scam called Kali365 is targeting Indian users by bypassing Multi-Factor Authentication (MFA) to steal Microsoft account logins, putting personal and financial information at severe risk.

What Is the Kali365 Phishing Kit Bypassing MFA and Stealing Microsoft Logins?

The Kali365 phishing kit is an advanced cybercrime tool designed to trick users into revealing their Microsoft login credentials, even when they have Multi-Factor Authentication (MFA) enabled. Cybercriminals use this kit to create fake Microsoft login pages that look exactly like the real ones. Many Indian professionals, students, and government employees relying on Microsoft services (like Outlook, Microsoft 365, Teams) are becoming primary targets due to the widespread use of these platforms in India.

Unlike traditional phishing that only steals passwords, Kali365 actively intercepts the one-time passwords (OTPs) or MFA codes, effectively bypassing this extra security layer. This capability makes it a critical threat with a risk score of 9 out of 10. CERT-In (Computer Emergency Response Team – India) has issued warnings about increasingly sophisticated phishing methods exploiting MFA weaknesses, and the Indian government’s I4C (Indian Cyber Crime Coordination Centre) is tracking this kit closely due to rising reports across corporate sectors and academia.

The scam is gaining ground in urban and semi-urban India because of rapid digitisation and reliance on Microsoft tools for official work, education, and personal use — magnifying the damage caused by stolen credentials.

How This Scam Works — Step by Step

1. Initial Contact via Email or SMS: You receive what looks like a legitimate email or SMS allegedly from Microsoft or your IT department, warning about a security problem or prompting a mandatory login verification.

2. Fake Login Page Link: The message contains a link leading to a very convincing fake Microsoft login page hosted on a phishing domain.

3. Entering Credentials: When you enter your Microsoft username and password, the phishing kit captures these details instantly.

4. MFA Interception: When the system asks for the MFA code (usually sent as an OTP to your phone or authenticator app), the phishing kit uses a real-time proxy technique to intercept the code you enter, sending it to the attacker.

5. Credential Verification: The attacker immediately uses the stolen username, password, and MFA code combination to access your actual Microsoft account.

6. Data Theft and Fraud: Once inside your account, fraudsters can access emails, documents, calendar data, and even linked UPI payment information or Aadhaar-based services if connected, leading to identity theft, financial losses, or further phishing attempts against your contacts.

Real Warning Signs to Watch For

• Unexpected emails or messages prompting urgent “security verification” or login requests.
• Links that look similar to microsoft.com but have slight misspellings or strange domains (like microsoft-secure-login[.]xyz).
• Requests to enter OTP or MFA codes on web pages outside official Microsoft sites.
• Generic greetings like “Dear User” instead of your name.
• Messages mismatched with your usual communication patterns (e.g., WhatsApp message for Microsoft login alert).
• Poor grammar or spelling mistakes in emails/SMS supposedly from Microsoft.
• Pressure to act immediately or consequences if you ignore the message.

What Happens to Victims

Victims of Kali365 attacks often face serious financial and emotional turmoil. Once fraudsters access Microsoft accounts, they may steal sensitive personal data, hack linked accounts (such as UPI wallets), or impersonate the user to defraud colleagues and friends. This can lead to fraudulent UPI transactions that are hard to reverse if not reported promptly, given RBI’s current mandates on transaction dispute resolution timelines.

In addition, victims may suffer from identity theft involving Aadhaar details if their linked documents are stored on cloud platforms, leading to SIM swaps or unauthorized mobile banking transactions. The emotional impact includes loss of trust in digital services, anxiety over personal data exposure, and time-consuming recovery efforts.

What RBI and CERT-In Say

The Reserve Bank of India (RBI) alongside CERT-In has issued multiple advisories urging vigilance against phishing attacks targeting MFA systems. RBI emphasizes timely reporting of fraudulent UPI transactions and cautions users never to share OTPs or MFA codes. CERT-In recommends verifying all login URLs and using official mobile apps rather than links received via messages.

For reporting cybercrimes, CERT-In suggests contacting the national cybercrime helpline at 1930 or logging complaints at the cybercrime.gov.in portal. RBI helpline numbers for banking-related frauds are also available for immediate assistance. The Indian Cyber Crime Coordination Centre (I4C) reinforces the importance of user education to prevent credential theft and MFA-bypass scams like Kali365.

How to Protect Yourself

1. Always type your Microsoft login URL manually or access via official apps — don’t click on links from messages.
2. Never share OTPs or MFA codes with anyone, even if the request seems urgent or official.
3. Enable physical security keys or app-based authenticators rather than SMS-based MFA where possible.
4. Verify suspicious messages by contacting your organization’s IT department before taking any action.
5. Use layered security: install updated antivirus software and browser protections against phishing sites.
6. Monitor your Microsoft account and linked services regularly for unusual activity.
7. Register your mobile number with Do Not Disturb (DND) services to reduce spam SMS and phishing attempts.

What to Do If You've Been Targeted

If you suspect falling victim to the Kali365 phishing scam:

1. Immediately change your Microsoft account password using a secure device.
2. Inform your IT department if the account is work-related.
3. Freeze or temporarily block your UPI and bank accounts linked to your email or phone.
4. Report the incident to CERT-In by calling 1930 or filing a complaint on cybercrime.gov.in.
5. Contact your bank’s fraud helpline and the RBI helpline to dispute any suspicious transactions.
6. Scan your devices for malware and reset affected devices if necessary.
7. Alert your contacts not to respond to any suspicious messages that may come from your compromised accounts.

Frequently Asked Questions

Q: Can Kali365 phishing steal MY Microsoft login if I use MFA?
Yes. Kali365 is specially designed to bypass MFA by intercepting the OTP or verification codes you enter during the fake login process, giving attackers full access.

Q: How can I know if a Microsoft login page is fake?
Check the URL carefully. Legitimate Microsoft pages use domains like microsoft.com or live.com. Any slight misspelling or unusual domain ending is a red flag. Also, avoid clicking on login links sent via email or SMS unless verified.

Q: What should I do if I receive a Microsoft login request via WhatsApp or SMS?
Do not click on the link or enter any credentials. Contact the purported sender by another method to confirm authenticity. Microsoft does not send login requests over WhatsApp or SMS.

Stay safe from phishing scams like Kali365. If you receive suspicious messages or links, always verify them at BharatSecure.app — India’s trusted platform to protect you from digital fraud.