A hacker can now own your Microsoft account without ever touching your password, and the Federal Bureau of Investigation (FBI) just told the whole country about it.
Quick Take
- The FBI warned the public about Kali365, a phishing tool that breaks into Microsoft 365 accounts without stealing your password or triggering your security codes.
- Kali365 is sold on Telegram for $250 a month, putting advanced hacking tools in the hands of low-skill criminals.
- The attack tricks you into entering a code on a real Microsoft page, which hands the attacker full access to your Outlook, Teams, and OneDrive.
- Security researchers found Kali365 is a full criminal ecosystem with AI-generated fake emails, victim tracking dashboards, and tools to launch follow-on fraud.
Your Multi-Factor Authentication Is Not the Shield You Think It Is
For years, security experts told everyone to turn on multi-factor authentication (MFA) and sleep easy. The idea was simple: even if a criminal steals your password, they still can’t get in without your second code. Kali365 blows that logic apart.
It does not steal your password at all. It steals something more valuable, a digital key called an OAuth token, and MFA never even gets a chance to stop it. [13]
The FBI first spotted Kali365 in April 2026 and issued a formal public warning in May. Security analysts recorded hundreds of attacks in April alone. [4]
That is not a slow rollout. That is a platform hitting the ground running, and the window between “new threat spotted” and “widespread damage” is getting shorter every year.
How the Scam Works Step by Step
You get an email. It looks exactly like a DocuSign alert, a SharePoint notification, or an Adobe Acrobat Sign message. The email includes a code and directs you to a legitimate Microsoft page to enter it. You go to the real Microsoft site. You see the padlock in your browser. Everything looks clean.
You type in the code. At that exact moment, you hand the attacker complete access to your account. No alarm goes off. No warning appears. The attacker is in. [13]
What you just did is called device code authentication. It is a legitimate Microsoft feature designed to let devices without full browsers log into accounts.
Kali365 weaponizes that feature. The attacker starts the login process on their end, generates the code, then tricks you into finishing the authorization for them. Your own action opens the door. [12]
This Is Not a Simple Phishing Kit — It Is a Criminal Business
Cybersecurity firm Huntress dug into Kali365 and found something far more alarming than a basic scam tool. The platform includes at least 33 built-in fake email lures, over 100 system connections, victim tracking dashboards, and a desktop app that lets criminals replay stolen sessions in a real browser.
It also has AI tools that help attackers write convincing follow-up fraud emails from inside your own inbox. [10] This is a full criminal operation, not a one-off script.
The price tag reflects the ambition. Kali365 costs $250 per month or $2,000 per year and is sold openly on Telegram. [2] That price point is low enough for opportunists but high enough to suggest the people behind it expect buyers to profit.
The FBI’s own warning says the platform “lowers the barrier of entry,” meaning criminals who could never have pulled off this kind of attack before can now do so with a subscription. That should alarm anyone who manages a business, a team, or even just a family’s shared accounts.
Once Inside, the Damage Spreads Fast
After capturing your token, the attacker can do more than just read your email. They can search your OneDrive files, monitor your Teams conversations, and use your trusted inbox to send fraud emails to your contacts and coworkers. Changing your password after the fact does not kick them out. The stolen token keeps working. [10]
That persistence is what makes Kali365 especially dangerous compared to older phishing attacks that ended the moment a victim changed their credentials.
🚨 FBI WARNS MICROSOFT USERS ABOUT NEW KALI365 PHISHING SCAM.
The FBI is alerting Microsoft 365 users about a fast‑growing phishing‑as‑a‑service scam called Kali365. The tool helps attackers steal OAuth tokens and slip past multi‑factor authentication. It uses AI‑generated lures… pic.twitter.com/67AwdkqBdi
— The Content Factory (@tcf_updates) June 16, 2026
The FBI says the downstream risks include data theft, financial fraud, extortion, and ransomware. [15] In plain terms, one bad click can cost a small business its files, its client data, and its reputation.
The attack scales just as easily against individuals as it does against corporations, which is exactly why the FBI chose to warn the general public rather than just corporate security teams.
What You Should Do Right Now
Never enter a device code from an email you did not personally request. Legitimate services do not cold-email you a code and ask you to go verify it. If you see that pattern, stop. Report the email using the phishing report button in Outlook or Teams. [23]
Check your account’s active sessions and remove any devices you do not recognize. If you work for a company, tell your IT team immediately. File a complaint at ic3.gov if you think you were hit. [13] The FBI built that reporting system for exactly this reason, and the data helps them track these platforms down.
Sources:
[2] Web – FBI warns of Kali365 phishing scam targeting Microsoft 365 users
[4] Web – FBI warns Microsoft Teams, Outlook, OneDrive users of phishing scam
[10] Web – Inside Kali365, a Device Code Phishing Ecosystem | Huntress
[12] Web – Kali365: The New Phishing Kit Hijacking Microsoft 365 Tokens
[13] Web – Kali365 Phishing-as-a-Service Kit Hijacks Microsoft 365 Access …
[15] Web – FBI Issues Warning To Microsoft 365 Users – Tuscaloosa Thread
[23] Web – Protect yourself from phishing | Microsoft Support
