What is 'Kali365' Attack? New Cyberattack Lets Criminals Slip Past All Microsoft Security Checks, FBI Warns

Millions of Microsoft users have been urged to remain vigilant after US federal investigators warned about a sophisticated cyberattack campaign known as 'Kali365', which allegedly allows hackers to bypass traditional Microsoft security protections and infiltrate accounts linked to Outlook, Teams, OneDrive, and other Microsoft 365 services.

The warning, highlighted in recent FBI and cybersecurity reports, centres on attackers exploiting legitimate Microsoft authentication systems rather than breaking through them directly.

Security experts say the tactic makes the operation particularly dangerous because malicious login attempts can appear legitimate to both users and automated detection systems.

What Is the 'Kali365' Attack?

According to cybersecurity researchers, 'Kali365' refers to a phishing and credential theft technique that abuses Microsoft 365's authentication infrastructure to steal login tokens and gain persistent access to user accounts.

Unlike traditional phishing attacks that rely solely on fake login pages, the attackers allegedly route victims through legitimate Microsoft authentication flows, allowing them to capture valid session credentials after users successfully log in.

Researchers say this can allow hackers to bypass certain forms of multi-factor authentication (MFA), which many users wrongly assume guarantees full protection.

Cybersecurity firm Proofpoint described the broader tactic as an increasingly common form of 'adversary-in-the-middle' phishing, where attackers intercept communications between users and legitimate services.

According to the FBI warning, criminals have increasingly targeted Microsoft 365 users because compromised accounts can provide access to sensitive emails, cloud storage, internal communications, and financial information.

Why Experts Say the Attack Is So Dangerous

Cybersecurity analysts say Kali365 represents a worrying shift because it bypasses one of the internet's most widely recommended security measures: multi-factor authentication.

Typically, MFA requires users to confirm logins using a second device or code. However, Kali365 sidesteps that protection entirely by stealing active authentication tokens rather than login credentials themselves.

The FBI also warned that the platform dramatically lowers the barrier for cybercrime.

'Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities,' the agency said.

Security researchers say this means inexperienced criminals can now deploy highly sophisticated attacks that previously required advanced technical knowledge.

According to TechRepublic, using legitimate Microsoft pages creates a major trust problem because victims may believe they are interacting with authentic security prompts rather than with phishing infrastructure.

Outlook, Teams, and OneDrive Users at Particular Risk

Once attackers gain access to a Microsoft 365 account, experts warn they can potentially move across multiple connected services.

Compromised accounts may expose:

• Outlook email conversations
• Teams chats and meeting data
• OneDrive files and cloud storage
• internal corporate documents
• password reset links
• financial records

Security researchers say hackers frequently use compromised accounts to launch secondary attacks against colleagues, clients, or family members by sending phishing emails from trusted addresses.

Microsoft itself has repeatedly warned that token theft and session hijacking attacks are becoming a major cybersecurity threat across enterprise systems.

According to Microsoft security guidance, attackers increasingly focus on stealing authenticated browser sessions rather than passwords alone because session tokens can sometimes bypass additional verification requirements.

How the Attack Allegedly Bypasses MFA

Multi-factor authentication remains one of the strongest security protections available, but experts caution that it is not invulnerable.

In adversary-in-the-middle attacks, victims unknowingly authenticate themselves through an attacker-controlled relay. Once the authentication process succeeds, the attacker may capture the resulting session token and reuse it to access the account without needing the password again.

That means users may technically complete MFA successfully while attackers silently gain account access behind the scenes.

The US Cybersecurity and Infrastructure Security Agency (CISA) has previously warned organisations about phishing kits that can intercept MFA tokens and session cookies.

How Users Can Protect Themselves

Cybersecurity experts stress that users should not panic, but they should adopt stronger security habits immediately.

Recommended protections include:

• enabling phishing-resistant MFA where available
• avoiding login links sent via unsolicited emails or text messages
• checking domain URLs carefully before signing in
• using password managers to detect fake sites
• reviewing active Microsoft account sessions regularly
• enabling account activity alerts
• logging out of sessions after use on shared devices

Businesses are also being urged to implement conditional access policies, device verification systems, and advanced email filtering tools to reduce exposure.

The FBI warning serves as another reminder that modern cyberattacks increasingly rely on deception rather than brute-force hacking. Instead of defeating Microsoft's systems outright, attackers are allegedly manipulating trust itself, using legitimate authentication processes against the very people they are designed to protect.