The FBI has issued an urgent warning for Microsoft 365 users after cybersecurity researchers uncovered a rapidly growing phishing operation known as Kali365. Unlike traditional phishing scams that focus on stealing usernames and passwords, Kali365 uses a more advanced approach that can give attackers access to Outlook, Teams, OneDrive, and other Microsoft services without directly collecting login credentials.

The campaign is raising concerns across the cybersecurity industry because it exploits a legitimate Microsoft authentication feature, making it significantly harder for users to recognize the threat. Researchers say the phishing kit was first identified in April 2026 and has already been linked to hundreds of attacks targeting businesses and individuals.

How Kali365 Targets Microsoft 365 Accounts

Most phishing attacks rely on fake websites designed to mimic trusted brands. Victims unknowingly enter their usernames and passwords, allowing cybercriminals to take over accounts.

Kali365 operates differently. Instead of directing users to a fraudulent login page, attackers send emails containing a device authentication code and instructions to visit a genuine Microsoft verification page. Because the website is legitimate, users may have little reason to suspect anything unusual.

When the code is entered, attackers can capture OAuth access tokens associated with the Microsoft account. These tokens act as authorization credentials that allow approved devices and applications to access Microsoft services without repeatedly requiring a password.

Once captured, those tokens can potentially provide access to Outlook emails, Teams conversations, OneDrive files, calendars, and other connected Microsoft 365 applications.

Why Security Experts View This Threat Differently

The FBI says Kali365 lowers the barrier to entry for cybercriminals by packaging sophisticated phishing tools into a subscription-based service. According to reports from security researchers, the platform has been promoted through Telegram channels and is available for approximately $250 per month or $2,000 annually.

The service reportedly includes AI-generated phishing messages, automated campaign templates, victim tracking dashboards, and OAuth token capture functionality. These features allow attackers with limited technical expertise to launch convincing campaigns that previously required more advanced skills.

Security researchers observed hundreds of Kali365-related attacks during April alone, suggesting the platform is gaining traction among cybercriminal groups looking for new ways to compromise Microsoft 365 accounts.

Can Multi-Factor Authentication Stop Kali365?

One of the reasons the campaign has attracted attention is its ability to work around traditional credential-focused security protections.

Multi-factor authentication remains an important security measure, but Kali365 demonstrates how attackers are shifting their focus toward authentication workflows and authorization tokens. Because victims authorize access themselves by entering the supplied device code, attackers may obtain account access without stealing a password.

This does not mean MFA is ineffective. Security professionals continue to recommend MFA as a critical layer of protection. However, organizations are increasingly being encouraged to monitor OAuth activity, review device authentication requests, and enforce stricter identity security controls.

What Outlook, Teams, and OneDrive Users Should Do

The FBI advises users to avoid entering device authentication codes unless they personally initiated the login process. Any unexpected email requesting code verification should be treated as suspicious, even when it directs users to a genuine Microsoft website.

Organizations should review device code authentication settings, monitor unusual sign-in activity, restrict unnecessary application permissions, and educate employees about token-based phishing attacks.

Users who suspect their account has been compromised should immediately review recent account activity, revoke active sessions, change passwords, and notify their IT or security team.

The rise of Kali365 highlights a broader shift in cybercrime tactics. Rather than focusing solely on passwords, attackers are increasingly targeting trusted authentication systems and cloud identity services. Similar concerns are emerging across the cybersecurity landscape, including the potential impact of quantum computing on modern encryption systems, as security experts prepare for the next generation of digital threats.

For official guidance on phishing and account security, users can review recommendations published by the Cybersecurity and Infrastructure Security Agency (CISA).

As businesses continue moving critical communications and data into cloud platforms, cybersecurity experts warn that understanding how modern authentication attacks work may be just as important as maintaining strong passwords. The FBI’s latest alert serves as a reminder that even legitimate login systems can become part of a sophisticated phishing campaign when users are caught off guard.

Make Swikblog your go-to source on Google for reliable updates, smart insights, and daily trends.