FBI Alarm: MFA Doesn’t Save Microsoft

The FBI’s warning about Kali365 lands on a hard truth: the password is no longer the main prize.

Quick Take

Kali365 is a phishing-as-a-service platform the Federal Bureau of Investigation (FBI) says targets Microsoft 365 users.
The scam can bypass multi-factor authentication by abusing Microsoft access tokens and device codes, not by stealing passwords.^[5]
Outlook, Teams, and OneDrive are among the services exposed after a successful attack.^[3]
The FBI says the kit is sold through channels such as Telegram and gives less-skilled attackers ready-made tools.

Why This Warning Feels Different

Kali365 matters because it shows how fast phishing has changed. This is not the old game of fake login pages and obvious spelling errors. The FBI says the platform allows attackers to obtain Microsoft 365 access tokens and bypass multi-factor authentication without intercepting credentials.^[5]

That means a victim can do everything “right” and still hand over access by following a believable set of instructions.

The attack starts with an email that appears to come from a trusted cloud or file-sharing service. The message includes a device code and tells the user to enter it on a real Microsoft verification page. That is the trap.

The page is legitimate, the padlock is real, and the victim thinks they are proving identity. In fact, they are authorizing the attacker’s device.

How Kali365 Breaks the Usual Defenses

The FBI says Kali365 targets OAuth device codes and token capture, which is why passwords do not stop it.^[2] Once the attacker has the token, they can remain logged in to the account without needing another sign-in right away.^[3] That access can reach Outlook mail, Teams conversations, and OneDrive files, which is why this warning hit so many office users at once.^[3]

The greater danger is not just entry. It is follow-on abuse. The FBI says the platform lowers the barrier to entry for less-skilled criminals by offering AI-generated phishing lures, automated campaign templates, victim-tracking dashboards, and token-capture tools.^[2]

In plain terms, Kali365 turns a technical attack into a packaged product. That makes the threat wider, faster, and easier to repeat.

Why Security Teams Should Pay Attention

This warning fits a larger pattern in identity theft. Microsoft has said phishers keep exploiting trusted services and routing tricks to make fake messages look internal and legitimate.

Microsoft also says phishing works by deceiving users with messages that appear genuine and pressuring them to act quickly. Kali365 follows that same pattern, but with a more dangerous twist: it uses Microsoft’s own sign-in flow against the user.

That is why the usual advice still matters, but must be sharper. Microsoft tells users to report suspicious messages from Outlook and Teams, avoid forwarding phishing emails, and keep the original message for review.

The FBI also urges people not to open links with access codes they did not request and to report suspicious logins or unauthorized devices to the Internet Crime Complaint Center.^[2] Those steps are basic, but they are still the first line of defense.

🚨 FBI WARNS MICROSOFT USERS ABOUT NEW KALI365 PHISHING SCAM.

The FBI is alerting Microsoft 365 users about a fast‑growing phishing‑as‑a‑service scam called Kali365. The tool helps attackers steal OAuth tokens and slip past multi‑factor authentication. It uses AI‑generated lures… pic.twitter.com/67AwdkqBdi

— The Content Factory (@tcf_updates) June 16, 2026

For ordinary users, the key habit is simple: never enter a code on a Microsoft page unless you started that sign-in yourself.^[1] For organizations, the FBI’s advice points to stronger identity controls, especially policies that limit device code flow where unnecessary. The lesson is blunt. When attackers no longer need your password, they will go after your trust instead.