FBI Alert: Microsoft Users Pay Attention

The newest way hackers can hijack your Outlook, Teams, and OneDrive does not need your password at all.

Story Snapshot

The Federal Bureau of Investigation (FBI) says a tool called Kali365 lets criminals break into Microsoft 365 accounts without stealing passwords or beating multi-factor authentication.
Kali365 uses real Microsoft login pages and simple “device codes” that trick users into opening the door for attackers.
The platform is a subscription service that provides low-skill scammers with dashboards, templates, and artificial-intelligence lures to run large-scale attacks.
Simple habits and a few settings changes can shut this scam down before it reaches your inbox.

The FBI’s Warning: A Phishing Factory Aimed At Microsoft 365

The FBI’s Internet Crime Complaint Center issued a public service announcement about Kali365 in May, calling it an emerging phishing-as-a-service platform first seen in April 2026. Kali365 is sold to criminals like software, complete with subscription plans and support.

The FBI says the service is built to steal Microsoft 365 access tokens and bypass multi-factor authentication for Outlook, Teams, OneDrive, and other cloud tools. In plain terms, it turns serious cybercrime into a plug-and-play side hustle.

FBI issues urgent Kali365 security warning for Teams, Outlook, OneDrive usershttps://t.co/J22HOHtP4C

— The Hill (@thehill) June 15, 2026

The FBI explains that Kali365 lowers the barrier to entry for less-skilled attackers by bundling artificial-intelligence phishing lures, automated campaign templates, and real-time dashboards that track targeted victims.

Media reports add that subscriptions have been advertised on Telegram channels, with prices around a few hundred dollars a month, putting advanced attack tools within reach of both petty crooks and organized gangs.^[2]

This is crime “as a service,” and the product on offer is access to your identity and your files.

How Kali365 Breaks In Without Your Password

Kali365 does not start with a fake login page that looks sloppy or uses a misspelled web address. Instead, attackers email you something that looks like a normal cloud document notice, such as a file-sharing alert or electronic signature request.

That email contains a short device code and instructions to visit a legitimate Microsoft verification page and enter it. The page is real. The lock icon in your browser is real. The only fake thing is the code’s purpose.

Behind the scenes, attackers exploit Microsoft’s “device code flow,” a legitimate feature intended for devices like smart TVs that have no keyboard.^[1] When you type in the code on Microsoft’s site, you think you are signing in to see a document.

What you actually do is approve the attacker’s device to access your account. Microsoft then issues OAuth access and refresh tokens tied to your account, and the Kali365 kit grabs them the moment they are created. You did the multi-factor challenge on your own device; the criminals just rode along and took the keys.

Why Multi-Factor Authentication Is Not Enough Anymore

For years, security experts told people to turn on multi-factor authentication and call it good. Kali365 exposes the limit of that advice. Because the attack does not steal your password, there is no password to reset and no login to block.

The FBI says these tokens give attackers persistent access to email, chat, and files without requiring a password or fresh multi-factor prompts. As long as the token remains valid, the attacker can quietly act on your behalf.

🚨 FBI WARNS MICROSOFT USERS ABOUT NEW KALI365 PHISHING SCAM.

The FBI is alerting Microsoft 365 users about a fast‑growing phishing‑as‑a‑service scam called Kali365. The tool helps attackers steal OAuth tokens and slip past multi‑factor authentication. It uses AI‑generated lures… pic.twitter.com/67AwdkqBdi

— The Content Factory (@tcf_updates) June 16, 2026

Once inside your account, criminals can read Outlook messages, grab password reset links for banks or stores, and watch Teams conversations to map your business and personal life.^[1]

They can raid OneDrive and SharePoint documents, forward sensitive files, and launch believable follow-up scams from your address.

How Big Is Kali365 Versus The Broader Phishing Problem?

Independent research supports the FBI’s view of Kali365 as more than just a single web page. A deep dive by Huntress describes Kali365 as a full ecosystem, with over 30 built-in phishing lures, token management, business email compromise tools, and even desktop apps to replay stolen sessions.

That level of polish suggests an organized criminal service, not a lone hobbyist. At the same time, device code and token theft techniques have been around for years under other names.

Some security professionals argue online that the FBI’s alert mainly rebrands a known method instead of revealing a brand-new class of threat. There is truth in that: many phishing-as-a-service kits now focus on token theft and multi-factor bypass. But that does not weaken the core warning.

When the nation’s top law enforcement agency singles out one platform by name and ties it to real attacks against Microsoft 365 tenants, it signals that scale and impact have crossed a line from “interesting” to “urgent.”

Practical Steps: One Simple Rule And A Few Smart Settings

The good news is that one habit blocks this entire attack for most people: never enter a verification code on a Microsoft page unless you started the sign-in yourself, on your own device.^[1]

If an email tells you to type a code into a Microsoft site and you did not start that process, treat it as a scam. Delete the message, or report it using the “Report phishing” option in Outlook or your email client. That single rule slams the door on Kali365’s main trick.

On the technical side, organizations can go further. The FBI and several security firms recommend using conditional access policies to limit who can log in from which locations and on which devices.^[1] Administrators can disable or restrict the device code flow if the business does not rely on it.^[1]

Regularly review active sessions and connected applications in Microsoft 365, revoke unknown ones, and log out of all sessions if a compromise is suspected.

These steps fit a conservative approach to risk: trust less by default, verify more, and keep critical controls close to home instead of assuming the cloud vendor will sort everything out.