Defeating Kali365: How Adversary-in-the-Middle Attacks Bypass MFA

Why is Kali365 a priority for your security stack?

Traditional Multi-Factor Authentication (MFA) is no longer a silver bullet. A new toolkit called Kali365 has gained traction by automating Adversary-in-the-Middle (AiTM) attacks. Unlike old-school phishing that just steals passwords, this tool intercepts the entire login flow in real-time. If your team relies on standard SMS or push-based MFA, your Microsoft 365 accounts are vulnerable to session hijacking.

The FBI recently flagged this as an emerging threat because it removes the need for technical sophistication on the attacker's part. It turns a complex handshake interception into a turnkey operation. For a startup founder or CTO, this means the 'human element' is being exploited through a technical proxy that your current filters might not catch.

How does the session theft actually work?

The attack doesn't target the password; it targets the session token. When a user clicks a malicious link, they aren't sent to a fake static page. Instead, they are directed to a proxy server that mirrors the actual Microsoft login page in real-time. The user enters their credentials and completes the MFA challenge on what looks like a legitimate site. Behind the scenes, Kali365 captures the authenticated session cookie.

Once the attacker has this cookie, they can inject it into their own browser to clone the session. They bypass the login screen entirely because the system believes they have already successfully authenticated. This allows them to:

• Exfiltrate sensitive emails and internal documents.
• Set up mailbox forwarding rules to monitor future communications.
• Launch internal phishing campaigns from a trusted executive account.
• Access connected cloud drives and SharePoint repositories.

What can you do to harden your infrastructure?

Since Kali365 relies on the user being the proxy, you need to move toward phishing-resistant authentication. Standard push notifications are too easy to approve by mistake or through fatigue. You should evaluate your current identity provider settings and look for specific gaps in how you handle session persistence.

Technical debt in security often comes from sticking to 'good enough' methods. Here is how to raise the cost for attackers:

• Deploy FIDO2 compliant security keys. These hardware-backed tokens verify the URL of the site, making it impossible for a proxy like Kali365 to intercept the handshake.
• Implement Conditional Access Policies. Restrict logins to managed devices or specific IP ranges to ensure that even a stolen token is useless on an unrecognized machine.
• Shorten Session Lifetimes. Force re-authentication more frequently for high-risk roles to minimize the window of opportunity for a hijacked cookie.
• Monitor for Impossible Travel alerts. If a session token is used in London five minutes after a login in New York, your SOC should automatically kill that session.

Watch for a rise in 'Quishing' (QR code phishing) as a delivery method for these links. Attackers are increasingly using QR codes in PDFs to bypass email scanners that typically flag suspicious URLs. If you see an influx of unusual login patterns from 'Unknown' device types in your Azure logs, assume a toolkit like Kali365 is already probing your perimeter.