The FBI says there is now a $250 subscription that lets amateurs pop into your Outlook, Teams, and OneDrive without ever knowing your password.
Story Snapshot
- The Federal Bureau of Investigation (FBI) is warning about Kali365, a “phishing‑as‑a‑service” kit that hijacks Microsoft 365 tokens, not passwords.
- The scam abuses real Microsoft device codes, so victims think they are on a safe page while they open the door themselves.
- Once inside, attackers can read email, comb OneDrive, and lurk in Teams while bypassing multi‑factor authentication.
- Smart settings and one simple user habit can shut most of this down if people act before the headlines fade.
How Kali365 Turns Your Own Security Into the Weapon
Kali365 is not a lone hacker in a hoodie; it is a full subscription service sold to criminals who want quick access to Microsoft 365 accounts without doing the hard work.
FBI investigators describe it as an “emerging phishing‑as‑a‑service platform” that steals access tokens instead of usernames and passwords.
That one twist changes the entire game, because those tokens are what Microsoft uses to remember that you already proved who you are when you logged in.[1]
The attack starts with an email that looks like routine business: a document to sign, a shared file, a Teams item to review.[1][3] The message includes a device code and friendly instructions to visit a legitimate Microsoft verification page and enter it.
The page is real, the padlock is real, the brand is real. When the victim types in the code, they do not log in to their own device; they authorize the attacker’s device instead.[1]
Why Multi‑Factor Authentication Alone Does Not Save You Here
Most people finally turned on multi‑factor authentication and felt safe, and to be fair, that was a smart move. Kali365 sidesteps that by shifting the crucial moment. The user still passes a multi‑factor prompt, but they do it in a session that the attacker quietly started in the background.
Once Microsoft issues the access and refresh tokens to that rogue application, the attacker can walk into Outlook, Teams, and OneDrive over and over without asking you for anything again.[3]
FBI issues urgent Kali365 security warning for Teams, Outlook, OneDrive usershttps://t.co/J22HOHtP4C
— The Hill (@thehill) June 15, 2026
Security researchers and the FBI both stress that this is not “breaking” multi‑factor authentication so much as walking around it.[3] Those who value personal responsibility will see the pattern: the system works as designed, but social engineering turns the user into the weak link.
The kit simply makes that trick repeatable at scale for low‑skill crooks willing to pay a monthly fee rather than learn real technical skills.[2]
How Big the Threat Really Is and What Is New About It
Law enforcement first spotted Kali365 activity in April 2026, then watched it spread fast enough that a national public service announcement followed weeks later.
Analysts describe a polished ecosystem with dashboards to track victims, built‑in phishing templates, AI-written lures, and tools to continue using stolen mailboxes for further fraud.
None of the ingredients are brand new, but the packaging – a turnkey crime service that eats your tokens instead of your password – marks another step down in the skill needed to cause real harm.
Some security professionals argue that Kali365 is mainly a flashy brand on top of known “device code flow” abuse, which has been around for years.
That criticism has merit on the technical side, but it misses the bigger point. Once the FBI sees enough real‑world victims to issue a national alert, the debate over novelty becomes academic.
Practical Steps Workers and Small Businesses Can Take Today
The FBI’s own advice is surprisingly simple and aligns with what Microsoft and independent experts already recommend. First, teach one rule until people can repeat it in their sleep: never enter a code on a Microsoft verification page unless you started that sign‑in yourself, on your own device.[1]
That single habit kills the core trick behind Kali365, because the whole scam depends on you trusting a code that came from email, not from your own action.
🚨 FBI WARNS MICROSOFT USERS ABOUT NEW KALI365 PHISHING SCAM.
The FBI is alerting Microsoft 365 users about a fast‑growing phishing‑as‑a‑service scam called Kali365. The tool helps attackers steal OAuth tokens and slip past multi‑factor authentication. It uses AI‑generated lures… pic.twitter.com/67AwdkqBdi
— The Content Factory (@tcf_updates) June 16, 2026
On the technical side, organizations can raise the bar without buying yet another shiny product. Administrators can restrict or disable the device code flow if it is not truly needed in their environment.[1]
They can use “conditional access” rules in Microsoft 365 to limit where and how tokens can be used, which makes life harder for anyone connecting from strange locations or devices.[1]
And, as always, quick reporting of odd logins or new devices gives defenders a chance to cut off stolen tokens before real damage is done.
Sources:
[1] Web – FBI issues urgent Kali365 security warning for Teams, Outlook, …
[2] Web – FBI warns of Kali365 phishing scam targeting Microsoft 365 users
[3] Web – FBI warns about PhaaS platform used to access Microsoft 365 …
