FBI Issues Urgent Alert on New Microsoft 365 Phishing Scheme

The Federal Bureau of Investigation (FBI) has issued an urgent alert to users of Microsoft 365 services, including Outlook, Teams, and OneDrive, regarding a sophisticated new phishing scheme. The attack, facilitated by a platform named Kali365, allows cybercriminals to capture authentication tokens, effectively bypassing multi-factor authentication without needing a user's password.

Kali365 operates differently from traditional phishing attacks. Instead of attempting to steal credentials, it targets OAuth device codes. These codes act as digital keys, granting applications permission to access data without requiring a password. By capturing these codes, attackers gain unauthorized access to Microsoft 365 accounts and can potentially steal a wide range of sensitive information.

This subscription-based service was first identified in April 2026 and has been primarily promoted on Telegram. Security firm Bitdefender reports that Kali365 is accessible to scammers for as little as $250 per month or $2,000 annually. The FBI highlighted the platform's role in lowering the barrier for less technical attackers, stating, "Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities," the FBI said in its advisory.

How the Kali365 Scam Unfolds

The attack sequence is designed to be deceptively simple and effective. A victim typically receives a phishing email that is carefully crafted to mimic communications from a trusted cloud service provider. This email contains a specific device code and instructs the recipient to visit a legitimate Microsoft verification page to enter it. Once the user inputs the code on the fake or compromised legitimate page, the attackers capture the OAuth token.

The FBI's alert comes amid reports of hundreds of Kali365 attacks occurring in April 2026 alone, indicating a rapid proliferation of this threat. Security researchers have been monitoring the platform's growth, with concerns focusing on its potential to impact businesses and individuals relying heavily on cloud-based productivity suites for daily operations and data storage.

The implication of this attack is significant for modern digital infrastructure. Microsoft 365 is widely adopted by businesses of all sizes, from small startups to large enterprises, as well as by individuals for personal use. The ability of Kali365 to circumvent robust security measures like multi-factor authentication, which has become a standard security practice, poses a substantial risk to data privacy and organizational security. The FBI urges users to remain vigilant and verify all security prompts and login attempts, especially those requiring device code entry.

To mitigate the risk, users are advised to be extremely cautious of unsolicited emails or messages requesting action on verification pages. Always verify the URL of any Microsoft login or verification page before entering any information. Enable security features like conditional access policies where available and ensure all software is up-to-date. The FBI's warning serves as a critical reminder that evolving cyber threats require constant vigilance and proactive security practices from all users of online services.