FBI Warns Microsoft 365 Users Against a Major Scam Known as Kali365
The FBI is warning Microsoft 365 users about a sophisticated phishing campaign that can compromise accounts without requiring victims to surrender their passwords, according to a new alert highlighting an emerging cyber threat known as Kali365.
The phishing-as-a-service platform targets Microsoft 365 accounts, including Outlook, Teams and OneDrive, by exploiting Microsoft’s legitimate device code authentication process rather than attempting to steal passwords directly.
Federal officials said Kali365 first emerged in April 2026 and has primarily been distributed through Telegram, where cybercriminals can purchase access to prebuilt phishing tools, campaign templates and tracking dashboards.
Unlike traditional phishing attacks, Kali365 focuses on obtaining OAuth access and refresh tokens, which allow users to remain signed into Microsoft services without repeatedly entering their passwords. Once stolen, those tokens can provide attackers with continued access to Microsoft accounts.
The scam begins when attackers initiate Microsoft’s legitimate device code login process from their own device before sending victims a phishing email containing a verification code and instructions to visit an authentic Microsoft sign-in page.
Because the verification page is operated by Microsoft, victims may believe the request is legitimate. After entering the provided device code, they unknowingly authorize the attacker’s device to access their account.
Once access is granted, attackers can capture authentication tokens that allow them to access Outlook, Teams and OneDrive without needing the victim’s password or triggering another multifactor authentication prompt.
The FBI said the technique poses particular risks for businesses because compromised accounts may contain sensitive emails, invoices, customer information and internal communications that attackers can use to impersonate employees or launch additional fraud schemes, per Fox News.
Federal officials advised users to treat any unsolicited request to enter a Microsoft device code as suspicious, particularly if it arrives through email, text message or collaboration platforms such as Teams.
Microsoft told Fox News that customers should follow the FBI’s recommendations while continuing to implement the company’s existing security best practices to defend against phishing-as-a-service operations and account takeover attempts.
The company said it continues working to disrupt cybercriminal networks responsible for phishing campaigns and referenced previous enforcement efforts targeting operations including Fake ONNX, RaccoonO365 and Tycoon 2FA.
The FBI recommends users never enter a device code unless they personally initiated the sign-in process, review account activity regularly, revoke suspicious sessions immediately and maintain multifactor authentication protections despite the new threat.
For organizations, officials also recommend restricting device code authentication where operationally feasible, auditing legitimate uses of the feature and training employees to recognize device code phishing attempts.
Anyone who believes they approved a fraudulent device code should immediately sign out of Microsoft 365 on all devices, change their password, review account recovery information, inspect Outlook forwarding rules and notify their employer’s IT department if the compromised account is work-related.
The FBI also encourages victims or targeted users to report incidents to the Internet Crime Complaint Center at IC3.gov, providing phishing emails, login information and other relevant evidence to assist investigators tracking the growing phishing campaign.
Continue Scrolling for the Comments
Leave a Comment