The FBI is alerting corporate America that cybercriminals have acquired a powerful new tool capable of breaching Microsoft email accounts without needing a password. Federal investigators report a rising trend of hackers using a phishing platform called Kali365 to take over Microsoft 365 accounts—including Outlook, Teams, and OneDrive—while circumventing multi-factor authentication (MFA) protections that millions of businesses rely on daily.
How Kali365 Works
In a public advisory, the FBI stated that Kali365 significantly lowers the entry barrier for cybercrime, enabling even relatively inexperienced hackers to launch sophisticated phishing attacks using automated tools, AI-generated scam emails, and real-time victim tracking dashboards. The FBI warned that the toolkit provides attackers with OAuth token capture capabilities, granting long-term access to victim accounts.
Unlike traditional phishing scams that aim to steal passwords directly, these new attacks exploit Microsoft's legitimate device code login system—a feature commonly used to sign into smart TVs, streaming devices, and other hardware with limited keyboards. Victims typically receive emails that appear to come from trusted Microsoft services such as SharePoint, Teams, or OneDrive. The messages instruct users to visit a legitimate Microsoft login page and enter a temporary code.
By entering that code, users unknowingly authorize the hacker's device instead of their own. Once the victim completes the process—including any multi-factor authentication checks—Microsoft issues valid access tokens directly to the attacker, allowing them to access email inboxes, cloud files, and collaboration tools without ever needing the user's password.
Persistence and Detection Challenges
The FBI warned that hackers can maintain persistent access to accounts until the stolen authentication tokens are manually revoked. Cybersecurity experts note that these attacks are particularly concerning because they abuse legitimate Microsoft infrastructure, making them much harder to detect. Matt Burk, chief information security officer at Bespoke Concierge MD, told The Post: 'Since Microsoft has globally enforced MFA, this method of cyber attack is designed to bypass MFA and the need for a password.'
Researchers say virtually anyone using Microsoft 365 could be targeted—from small businesses to Fortune 500 companies. Burk added, 'I absolutely hate to generalize, but everyone from a small mom-and-pop business to a large Fortune 500 company.'
Spread of Kali365
The FBI reported that the Kali365 platform first emerged last month and has rapidly spread through cybercrime forums and Telegram channels as part of the booming phishing-as-a-service underground economy, where hacking tools are sold via subscriptions to low-skilled criminals. Security firms Arctic Wolf and Huntress say similar campaigns have already targeted hundreds of organizations across the US, Canada, Europe, and Australia, including businesses in healthcare, manufacturing, education, finance, and government. These attacks are part of a broader wave of cybercrime aimed at Microsoft 365 environments, which have become a prime target due to the software's deep integration into modern workplaces.
Recommendations for Protection
Experts advise companies to monitor for suspicious authentication activity and deploy advanced security tools capable of detecting stolen token usage. For ordinary users, cybersecurity specialists recommend being extremely cautious about unsolicited emails requesting device login verification codes—even if the page appears to be a legitimate Microsoft website. The FBI emphasized that users should never enter authentication codes sent through unexpected emails or messages and should report suspicious login requests immediately.
