\n
<\/p>\n
The security measure millions rely on to protect their accounts may not be as foolproof as they think. At the center of the scheme is a hacking platform called Kali365. Unlike traditional\u00a0phishing<\/a>\u00a0attacks that rely on stealing credentials, Kali365 targets OAuth device codes\u2014digital keys that allow applications to access data without requiring a password\u2014giving cybercriminals access to Microsoft 365 accounts and a wide range of sensitive information.<\/p>\n The subscription-based service, which was first spotted in April 2026, has been promoted largely through Telegram and,\u00a0according to Bitdefender<\/a>, is available to scammers for as little as $250 per month or $2,000 a year.<\/p>\n What makes the threat particularly alarming is that it can gain access to a user\u2019s account without a password. \u201cKali365 lowers the barrier of entry, providing less-technical attackers access to\u00a0AI<\/a>-generated phishing lures, automated campaign templates, real-time targeted individual\/entity tracking dashboards, and OAuth token capture capabilities,\u201d the FBI said.<\/p>\n With security researchers reporting\u00a0hundreds of Kali365 attacks<\/a>\u00a0in April alone, the threat is already materializing.\u00a0<\/p>\n The attack follows a deceptively simple sequence. A victim receives a phishing email designed to look like it came from a trusted cloud service. The email contains a device code and instructs the recipient to visit a legitimate Microsoft verification page to enter it. <\/p>\n The moment the user does this, the user has unknowingly handed the attacker full access to their account.<\/p>\n Once the code is entered, the attacker captures the OAuth access token, granting them full entry into the victim\u2019s Microsoft 365 account. From there, they can freely navigate Outlook, Teams, and OneDrive without ever needing a password or completing any additional authentication steps.<\/p>\n What makes the scam particularly convincing is that there is no fake website to spot and no misspelled domain name, making it difficult for a user to distinguish the phishing attempt from a legitimate request.<\/p>\n \u201cThis phishing scam is getting more sophisticated by the day, with AI-generated lures and automated templates,\u201d\u00a0one user wrote in response to the FBI\u2019s warning<\/a>.<\/p>\n However, the FBI says there are steps users can take to protect themselves, including not opening any links with access codes that you didn\u2019t request. Additionally, those who have been affected by the Kali365 phishing kit can file a complaint with the\u00a0Internet Crime Complaint Center.<\/a><\/p>\n \u2014Amaya Nichole, News Writer<\/em><\/p>\n
The Federal Bureau of Investigation<\/a>\u00a0is warning the public about a fast-spreading\u00a0scam<\/a>\u00a0targeting users of popular\u00a0Microsoft<\/a>\u00a0365 products, including Outlook, Teams, and OneDrive. The scheme allows cybercriminals to capture Microsoft authentication tokens, bypassing multifactor authentication without needing a user\u2019s password.<\/p>\nHow the scheme unfolds<\/h2>\n