The security measure millions rely on to protect their accounts may not be as foolproof as they think.
The Federal Bureau of Investigation is warning the public about a fast-spreading scam targeting users of popular Microsoft 365 products, including Outlook, Teams, and OneDrive. The scheme allows cybercriminals to capture Microsoft authentication tokens, bypassing multifactor authentication without needing a user’s password.
At the center of the scheme is a hacking platform called Kali365. Unlike traditional phishing attacks that rely on stealing credentials, Kali365 targets OAuth device codes—digital keys that allow applications to access data without requiring a password—giving cybercriminals access to Microsoft 365 accounts and a wide range of sensitive information.
The subscription-based service, which was first spotted in April 2026, has been promoted largely through Telegram and, according to Bitdefender, is available to scammers for as little as $250 per month or $2,000 a year.
What makes the threat particularly alarming is that it can gain access to a user’s account without a password. “Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities,” the FBI said.
With security researchers reporting hundreds of Kali365 attacks in April alone, the threat is already materializing.
How the scheme unfolds
The attack follows a deceptively simple sequence. A victim receives a phishing email designed to look like it came from a trusted cloud service. The email contains a device code and instructs the recipient to visit a legitimate Microsoft verification page to enter it.
The moment the user does this, the user has unknowingly handed the attacker full access to their account.
Once the code is entered, the attacker captures the OAuth access token, granting them full entry into the victim’s Microsoft 365 account. From there, they can freely navigate Outlook, Teams, and OneDrive without ever needing a password or completing any additional authentication steps.
What makes the scam particularly convincing is that there is no fake website to spot and no misspelled domain name, making it difficult for a user to distinguish the phishing attempt from a legitimate request.
“This phishing scam is getting more sophisticated by the day, with AI-generated lures and automated templates,” one user wrote in response to the FBI’s warning.
However, the FBI says there are steps users can take to protect themselves, including not opening any links with access codes that you didn’t request. Additionally, those who have been affected by the Kali365 phishing kit can file a complaint with the Internet Crime Complaint Center.
—Amaya Nichole, News Writer
This article originally appeared on Fast Company’s sister website, Inc.com.
Inc. is the voice of the American entrepreneur. We inspire, inform, and document the most fascinating people in business: the risk-takers, the innovators, and the ultra-driven go-getters that represent the most dynamic force in the American economy.
