FBI alerts users to Microsoft Teams, Outlook phishing risk
The FBI has issued an urgent warning for individuals and organizations using Microsoft 365 services, including Microsoft Teams, Outlook, and OneDrive, about a rapidly spreading phishing scheme, News.Az reports, citing Fastcompany.com.
According to the agency, the scam is actively targeting users of these widely used Microsoft products and is capable of capturing Microsoft authentication tokens in a way that allows attackers to bypass multifactor authentication without needing to obtain a user’s password.
At the core of this operation is a hacking platform known as Kali365.
RECOMMENDED STORIES
Unlike conventional phishing attacks that focus on stealing usernames and passwords, Kali365 specifically targets OAuth device codes—digital authentication keys that allow applications to access accounts and data without requiring a password login. By exploiting these tokens, cybercriminals can gain unauthorized access to Microsoft 365 accounts and potentially reach a broad range of sensitive information stored within them.
Reports indicate that Kali365 operates as a subscription-based service that was first identified in April 2026. It has been actively promoted primarily through Telegram channels. Cybersecurity firm Bitdefender has reported that access to the service is being sold to scammers for approximately $250 per month or around $2,000 per year, making it relatively accessible to a wide range of threat actors.
The FBI emphasized that the threat is particularly concerning because it enables account compromise without the attacker ever needing the victim’s password. The agency noted: “Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities,” the FBI said.
Security researchers have already observed active exploitation of this platform, reporting hundreds of Kali365-related attacks during April alone. According to these findings, the threat is not theoretical but already ongoing and affecting users in real-world scenarios.
The attack follows a deceptively simple sequence. A victim receives a phishing email designed to look like it came from a trusted cloud service. The email contains a device code and instructs the recipient to visit a legitimate Microsoft verification page to enter it.
The moment the user does this, the user has unknowingly handed the attacker full access to their account.
Once the code is entered, the attacker captures the OAuth access token, granting them full entry into the victim’s Microsoft 365 account. From there, they can freely navigate Outlook, Teams, and OneDrive without ever needing a password or completing any additional authentication steps.
What makes the scam particularly convincing is that there is no fake website to spot and no misspelled domain name, making it difficult for a user to distinguish the phishing attempt from a legitimate request.
“This phishing scam is getting more sophisticated by the day, with AI-generated lures and automated templates,” one user wrote in response to the FBI’s warning.
However, the FBI says there are steps users can take to protect themselves, including not opening any links with access codes that you didn’t request. Additionally, those who have been affected by the Kali365 phishing kit can file a complaint with the Internet Crime Complaint Center.
By Nijat Babayev
Similar news
