Hacker
FBI has issued an urgent warning over a fast-spreading phishing campaign. (Stock photo) Photo by Mika Baumeister on Unsplash

The FBI has issued an urgent warning over a fast-spreading phishing campaign that is targeting users of Microsoft 365 services, including Outlook, Microsoft Teams, and OneDrive. The scam is powered by a cybercrime toolkit known as 'Kali365', which is enabling attackers to bypass traditional security protections, including multifactor authentication, without ever needing to steal a password.

Instead, victims are tricked into authorising access through legitimate Microsoft login processes, making the phishing attack far more difficult to detect. Security researchers say the campaign is already spreading quickly, raising concerns that millions of users could be exposed to account takeover attempts that leave no obvious trace of compromise.

Phishing Warning Over Microsoft 365 Attack Wave

The FBI has warned that the phishing campaign is exploiting OAuth device code authentication, a system designed to allow secure access to apps without repeated password entry. In this case, attackers are abusing the process to capture authentication tokens and gain persistent access to Microsoft accounts.

Officials say the method allows cybercriminals to sidestep conventional login protections, meaning even users with strong passwords and multifactor authentication are still vulnerable. The agency has urged users to be alert to any unexpected verification requests, particularly those involving device codes or login prompts that they did not initiate themselves.

How Kali365 Phishing Scam Operates

According to cybersecurity researchers, Kali365 is a subscription-based phishing kit being distributed through encrypted messaging platforms such as Telegram. It is marketed to low-skill attackers and reportedly includes automated phishing templates, AI-generated messages, and real-time targeting tools. The attack begins with a phishing email designed to appear as if it comes from a legitimate cloud service provider.

Victims are instructed to visit an official-looking Microsoft verification page and enter a device code provided in the message. Because the page itself is genuine, there is no fake website or suspicious domain to detect.

Once the code is entered, attackers immediately capture the OAuth access token, which grants full access to the victim's account without requiring a password. This enables them to move freely across services such as Outlook, Teams, and OneDrive while appearing as a legitimate user.

Phishing attack Bypasses Traditional Security

Security experts say the most concerning aspect of this phishing campaign is that it does not rely on stolen credentials or fake login pages. Instead, it exploits trust in legitimate authentication flows within Microsoft's own infrastructure. This means users are not handing over passwords but unknowingly granting access permissions that are difficult to revoke quickly.

The FBI has described the toolkit as lowering the barrier to entry for cybercriminals, noting that it provides automated phishing infrastructure and tracking dashboards that make large-scale attacks easier to execute. Researchers report that hundreds of Kali365-related phishing attempts have already been detected in recent months, suggesting the campaign is actively growing.

Growing Scale of Phishing Attacks

The subscription-based nature of Kali365, reportedly costing as little as $250 per month, has raised concerns that phishing attacks targeting Microsoft 365 users could increase significantly.

By making advanced phishing techniques widely accessible, the toolkit is enabling a broader range of attackers to target both individuals and organisations.

Once inside an account, attackers can access sensitive communications, stored files, and internal business data without triggering standard security alerts.

Preventing Phishing Compromise

The FBI has advised users of Outlook, Microsoft Teams, and OneDrive to avoid entering any device codes or verification requests that they did not personally initiate. Users are also urged to scrutinise unexpected emails requesting authentication steps, even if they appear to originate from trusted services. Those who believe they may have been affected are encouraged to report incidents to the Internet Crime Complaint Centre (IC3) and review account activity for unauthorised access.

Writer's pick