=== ARTICLE ===
The FBI Just Warned About a New Phishing Platform — Here’s What Small Businesses Need to Do Right Now
Two days ago, the FBI issued a public warning about a phishing-as-a-service platform called Kali365, first documented in April 2026. It’s only been active for about two months — and it’s already worth a federal alert.
Here’s what that means for your business, and why “we have spam filtering” may not be the answer you think it is.
The Barrier to Entry for Attackers Just Got a Lot Lower
This is the part most news coverage buries.
Phishing-as-a-service platforms like Kali365 don’t require technical expertise to use. A criminal doesn’t need to know how to code, configure servers, or craft convincing emails from scratch. The platform does it for them. They rent access, pick their targets, and launch attacks that look nearly identical to real emails from Microsoft, your bank, or your payroll provider.
What that means in plain terms: the person trying to trick your employees into handing over login credentials might be someone with zero technical background who paid a monthly subscription to do it.
Most business owners still picture hackers as sophisticated lone wolves — the hoodie-wearing genius from the movies. The reality in 2026 is much less dramatic and much more dangerous. It’s closer to a gig economy for cybercrime.
Before the FBI alert even came out, the warning signs were already showing up. Email-based attacks were increasing across the board, and more and more businesses were reaching out just to ask whether a specific email was legitimate or not. That uptick isn’t coincidental — it’s what the early spread of a new phishing platform looks like in practice.
”We Have Spam Filtering” — Why That’s Not Enough Anymore
This is the assumption that’s genuinely concerning.
Spam filtering, at its core, is built around detecting known bad indicators — suspicious sender addresses, known malicious domains, certain keyword patterns. For years, that worked reasonably well. But AI has changed the equation significantly, even just in the past twelve months.
Phishing emails generated or refined by AI tools are harder to detect because they’re more contextually accurate, better written, and better at mimicking legitimate communication. The tells that spam filters have been trained to catch are disappearing. A well-crafted Kali365-generated email might sail right past your filter because it doesn’t technically look wrong — it just isn’t real.
That’s not a knock on spam filtering. You still need it. But it has to be part of a layered approach, not the whole strategy.
The CISA cybersecurity best practices framework emphasizes exactly this — layered defenses, not single-point solutions. A spam filter is one layer. It needs email security tools that include dedicated phishing protection, not just spam detection. Your DNS records need to be configured correctly to block certain types of spoofed attacks before they even reach your employees’ inboxes. And critically, the people sitting at those inboxes need to be trained to catch what the technology misses.
Because right now, the human layer of defense matters more than it has in a long time.
Why Healthcare Practices and Financial Firms Should Be Reading This Twice
Every small business should take this seriously. But if you’re running a medical practice, a CPA firm, or any business that handles sensitive client data, the stakes are a level higher.
Phishing kits like Kali365 are specifically designed to steal credentials. Once an attacker has a username and password — even from a single employee — they can access email accounts, patient records, financial data, and internal systems. For a HIPAA-covered practice, that’s a potential breach notification event, an OCR investigation, and serious financial exposure. For a CPA firm, the IRS has specific guidance on protecting client data precisely because tax professionals are high-value targets.
Here’s the uncomfortable part: businesses with sensitive data are typically first on the attack list. And because Kali365 has only been active since April, the security tools designed to detect its specific patterns may not have fully caught up yet. That window — between when a new platform launches and when the detection engines reliably block it — is exactly when attackers push hardest.
That’s why the human layer matters so much right now. Your employees being able to recognize and report suspicious emails isn’t a nice-to-have while the technology catches up. It’s your front line.
According to the Verizon Data Breach Investigations Report, phishing remains one of the top initial access vectors for breaches year after year. New platforms like Kali365 don’t change that story — they just make it easier for more attackers to participate in it.
FAQ
What is Kali365 and why is the FBI warning about it?
Kali365 is a phishing-as-a-service platform first documented in April 2026. The FBI issued a public alert because it significantly lowers the skill required to launch convincing phishing attacks — meaning more criminals can use it to target small and mid-sized businesses with minimal technical knowledge.
My business already has spam filtering. Aren’t we protected?
Spam filtering helps, but it’s not sufficient on its own — especially now. AI-assisted phishing emails are increasingly difficult for traditional filters to detect because they mimic legitimate communication more convincingly. You need layered email security that includes dedicated phishing protection, not just spam filtering.
What makes healthcare practices and CPA firms higher-risk targets?
These businesses store sensitive, high-value data — patient records, financial information, login credentials to systems with regulatory significance. Attackers prioritize them because a successful credential theft yields more valuable access. For HIPAA-covered entities, a breach also carries significant compliance and financial consequences.
How do I know if my current email security is actually configured properly?
Most businesses don’t. A proper review should check whether you have phishing protection (not just spam filtering) enabled, whether your DNS records — specifically SPF, DKIM, and DMARC — are configured correctly, and whether conditional access policies are enforcing MFA across your environment.
Is multi-factor authentication really the most important thing to fix right now?
Yes. If an attacker steals an employee’s credentials through a phishing attack, MFA is the last line of defense that prevents them from actually logging in with those credentials. It doesn’t have to be complicated — it’s adding a second lock to the door — but it has to be enforced, not just offered.
What to Do This Week
Don’t wait for next quarter on this one. Here’s where to start:
1. Turn on and enforce MFA via conditional access. Not optional, not user-preference. Conditional access means the system enforces MFA — users can’t bypass it. If your current Microsoft 365 subscription doesn’t support conditional access enforcement, that’s worth upgrading for. This is the single most impactful thing you can do right now.
2. Review your email security — not just spam filtering. Make sure your email security stack includes dedicated phishing protection. These are different tools solving different problems. Ask your IT provider specifically whether you have phishing protection enabled, not just spam filtering.
3. Check your DNS records. SPF, DKIM, and DMARC records are the configuration layer that helps block email spoofing attacks before they reach your employees. Many small businesses have these either misconfigured or missing entirely. A quick DNS review can close gaps attackers are actively exploiting.
4. Revisit your security awareness training. If your employees haven’t done phishing awareness training recently, now is the time. The technology can only catch so much. Employees who know what to look for — and who know to report suspicious emails — are a real layer of defense, especially while detection tools are still catching up to a new platform.
The FBI’s ongoing cyber alerts and CISA’s guidance on stopping ransomware consistently point to phishing as the starting point for the majority of serious breaches. This isn’t theoretical. These attacks are happening right now, and the tools being used are getting easier to access every month.
You can’t fix what you don’t know is broken — but now you know. So let’s do something about it.
If you want a second set of eyes on your current email security, MFA configuration, and DNS setup, schedule a free discovery call with our team and we’ll tell you exactly where you stand.
