FBI Warns of Kali365 Scam Targeting Microsoft 365 Users

The FBI warns Microsoft 365 users about the Kali365 phishing scam that bypasses MFA using OAuth device codes and targets Teams, Outlook, and OneDrive accounts

The Microsoft 365 security warning issued by the FBI has raised concerns about a sophisticated phishing campaign targeting users of Teams, Outlook, and OneDrive. The newly identified hacking platform, known as Kali365, enables cybercriminals to bypass multifactor authentication (MFA) and gain unauthorized access to Microsoft accounts without requiring passwords.

How the Kali365 Scam Works

According to the FBI, Kali365 operates as a “Phishing-as-a-Service” platform that exploits OAuth device codes. Attackers send phishing emails disguised as trusted document-sharing requests, urging recipients to verify access using a provided device code. Once the code is entered, hackers can capture authentication tokens and log into Microsoft 365 accounts while avoiding traditional password checks.

The platform is reportedly available to criminals for a subscription fee of around $250 per month, making advanced phishing tools accessible even to attackers with limited technical skills.

AI-Powered Features Increase the Threat

The FBI says Kali365 includes AI-generated phishing messages, automated campaign templates, targeted tracking dashboards, and OAuth token capture capabilities. These features make phishing emails more convincing and allow scammers to launch attacks at scale.

Officials first detected the platform in April and have since categorized it as an emerging cybersecurity threat capable of lowering the barrier for cybercriminals.

FBI and Microsoft Urge Users to Stay Alert

The latest Microsoft 365 security warning advises users not to click on unexpected authentication links or enter device codes they did not request. The FBI also recommends reporting phishing emails, suspicious login attempts, and unauthorized devices connected to accounts through the Internet Crime Complaint Center.

Microsoft has supported the agency’s guidance, noting that its Digital Crimes Unit continues to dismantle phishing infrastructure and disrupt similar threats, including RaccoonO365 and other do-it-yourself phishing services.

Protecting Your Microsoft Account

Cybersecurity experts recommend verifying every authentication request before approving it, enabling security notifications, reviewing active sessions regularly, and avoiding unsolicited emails requesting account verification. Organizations should also educate employees about OAuth-based phishing attacks and implement strict security monitoring.

As phishing tactics continue to evolve, the Microsoft 365 security warning serves as a reminder that users must remain vigilant to protect sensitive business and personal data from increasingly sophisticated cyber threats.

FAQs

1. What is Kali365?

Kali365 is a phishing-as-a-service platform that helps cybercriminals steal OAuth tokens and gain access to Microsoft 365 accounts without passwords.

2. Which Microsoft services are being targeted?

The campaign primarily targets Microsoft Teams, Outlook, and OneDrive users.

3. How does Kali365 bypass multifactor authentication?

It tricks users into entering OAuth device codes, allowing attackers to capture authentication tokens and access accounts without needing passwords.

4. What should users do if they receive a suspicious device code request?

Users should avoid entering the code, ignore unexpected authentication requests, and report suspicious emails or login attempts immediately.

5. How can Microsoft 365 users protect themselves?

Users should verify all authentication prompts, avoid clicking unknown links, monitor account activity regularly, and report any unauthorized access to the appropriate authorities.