The United States Federal Bureau of Investigation (FBI) has issued a warning about a sophisticated new phishing campaign targeting Microsoft 365 users. The attack, leveraging a service called Kali365, allows cybercriminals to compromise accounts linked to Outlook, Teams, and OneDrive without stealing passwords or bypassing multifactor authentication. Instead, it exploits Microsoft's legitimate device code sign-in process.
How Kali365 Works
According to the FBI, as reported by Fox News, Kali365 first appeared in April 2026 and is primarily distributed via Telegram. The platform provides attackers with AI-generated phishing messages, campaign templates, and tools to capture OAuth tokens. The attack begins with a phishing email disguised as a message from a trusted productivity or file-sharing service. Victims are instructed to enter a device code on an authentic Microsoft verification page. While the website is genuine, entering the code unknowingly grants access to the attacker's device. Once approved, criminals obtain access and refresh tokens, allowing them to use Microsoft services without requesting the victim's password or another multifactor authentication prompt.
Why This Threat Is Serious
Cybersecurity experts warn that this technique poses a serious risk because it abuses a trusted Microsoft feature rather than exploiting a fake website. Password managers may not detect anything suspicious since users are directed to an authentic Microsoft page. Small businesses are particularly vulnerable, as a compromised Microsoft 365 account may expose emails, invoices, customer information, shared documents, and internal conversations. Criminals could also impersonate legitimate employees to deceive colleagues, suppliers, or clients.
Microsoft's Response
Microsoft has urged users to follow the FBI's recommendations and the company's own security guidance to defend against Kali365 and similar attacks. The technology company added that it continues to disrupt criminal networks linked to phishing-as-a-service and account takeover campaigns.
How Users Can Protect Themselves
The FBI advises users to enter a Microsoft device code only when they personally initiated the sign-in process. It also recommends avoiding links contained in unexpected emails or messages and instead accessing Microsoft services directly through an official website. Users are encouraged to review recent account activity, revoke suspicious sessions, and report any suspected compromise immediately. Organizations are urged to restrict device code sign-in where it is not required and provide staff with training on recognizing this emerging phishing method. Security experts emphasize that exercising caution before approving unexpected login requests remains one of the most effective ways to prevent unauthorized access to Microsoft accounts.
