FBI alert: Outlook, OneDrive and other Microsoft 365 services targeted by new cyber threat

WASHINGTON - The FBI is alerting the public to a new cyber threat involving a Phishing‑as‑a‑Service kit known as Kali365, which is designed to hijack Microsoft 365 access tokens.

The threat was first identified in April 2026. According to the FBI, Kali365 has been distributed primarily through Telegram, allowing scammers to obtain Microsoft 365 access tokens and bypass multi‑factor authentication protocols without attaining user credentials.

Through a Kali365 subscription, attackers can capture OAuth tokens and gain persistent access to targeted Microsoft 365 environments. 

Officials say the platform lowers the barrier for less‑technical attackers by offering AI‑generated phishing lures, automated campaign templates, real‑time tracking dashboards and token‑capture tools.

How the Scam Works

• Lure: An attacker sends a phishing email impersonating trusted cloud productivity and document-sharing services. This phishing email contains a device code with instructions to visit a legitimate Microsoft verification page and enter the code.
• Authorization: The targeted individuals/entities navigate to the real Microsoft page and pastes in the device code, unknowingly authorizing the attacker's device to access their account.
• Token Theft: The attacker captures OAuth access and refresh tokens, granting them access to the targeted individuals/entities' Microsoft 365 account.
• Persistence: The attacker can now access Microsoft 365 services such as Outlook, Teams, and OneDrive without needing a password or completing any additional MFA challenges.

Tips to Protect Yourself

• Restricting device code flow to limit or block device authentication codes can help prevent or limit this style of attack.
• Create a conditional access policy to block device code flow for all users, with limited exceptions for required business processes.
• Audit existing device code flow usage to identify legitimate dependencies before creating a conditional access policy.
• Block authentication transfer policies to prevent users from transferring authentication from computers to mobile devices.
• If you cannot completely restrict device code flow usage, exclude emergency access accounts to prevent lockouts.

Report any impact from the Kali365 phishing kit to the Internet Crime Complaint Center at IC3.gov, including details such as phishing emails, suspicious logins, and any unauthorized devices or active sessions added to the account.