FBI Alarm: Microsoft Blown Open

The FBI’s Kali365 warning matters because this scam doesn’t require your password to break into your Microsoft 365 account.

Quick Take

The FBI says Kali365 is a phishing-as-a-service platform that targets Microsoft 365 accounts.^[5]
The attack can bypass multi-factor authentication by stealing access tokens instead of passwords.^[5]
Victims can lose access to Outlook, Teams, and OneDrive after entering a device code on a real Microsoft page.^[3]
The warning reflects a broader shift toward token theft and device code phishing, rather than old-fashioned password theft.

What Kali365 Actually Does

Kali365 is not a single scam email. It is a subscription-based phishing toolkit that helps criminals run token theft at scale. The FBI says it first saw the platform in April 2026 and released a public warning about it in June.^[5]

FBI issues urgent Kali365 security warning for Teams, Outlook, OneDrive usershttps://t.co/J22HOHtP4C

— The Hill (@thehill) June 15, 2026

The core trick is simple and ugly. A fake email impersonates a trusted cloud or file-sharing service and redirects the target to a legitimate Microsoft verification page.^[1] The user enters a device code, thinking they are opening a file, but they are actually authorizing the attacker’s device.

That is why the scam is dangerous even when multi-factor authentication is turned on. The FBI says Kali365 can obtain Microsoft 365 access tokens and bypass multi-factor authentication without intercepting credentials.^[5]

Once the token is captured, the attacker can remain logged in to the account and use services tied to it.^[3]

Why This Threat Feels Different

This warning lands because it shows how phishing has changed. Older scams tried to steal a password. Kali365 goes after the digital proof that Microsoft already trusts.^[3] That makes the attack harder to spot and easier to reuse after the first hit.

Researchers and reporters describe Kali365 as a low-skill tool with high-skill results. The FBI says it gives attackers ready-made lures, campaign templates, tracking dashboards, and OAuth token capture tools.^[2]^[5] In plain English, it lets a weaker criminal run a more polished attack.

That is the larger story here. Microsoft 365 has become a prime target because it links mail, chat, and file storage in one place.^[3] If an attacker gets in, they do not just read one inbox. They can move through Outlook, Teams, and OneDrive as if they belong there.^[1]^[3]

What Users Should Do Now

The FBI advises people not to click links containing access codes they did not request and to report suspicious messages or logins to the Internet Crime Complaint Center.^[1]^[2] Microsoft also tells users to report phishing in Outlook or Teams and to keep an eye out for suspicious messages and unsafe sites.

🚨 FBI WARNS MICROSOFT USERS ABOUT NEW KALI365 PHISHING SCAM.

The FBI is alerting Microsoft 365 users about a fast‑growing phishing‑as‑a‑service scam called Kali365. The tool helps attackers steal OAuth tokens and slip past multi‑factor authentication. It uses AI‑generated lures… pic.twitter.com/67AwdkqBdi

— The Content Factory (@tcf_updates) June 16, 2026

For organizations, the smarter defense is to limit the device code flow where it is not needed and tighten account controls around sign-ins. That advice fits the broader lesson behind Kali365: if a login process can be turned into a trap, attackers will eventually try it. The people who win are the ones who treat convenience as a risk, not a feature.