The Federal Bureau of Investigation (FBI) has issued an urgent cybersecurity warning about a rapidly spreading scam targeting Microsoft 365 users, including those using Teams, Outlook, and OneDrive.
According to the FBI, the attack involves a phishing-as-a-service platform known as “Kali365,” which is being used by cybercriminals to steal OAuth device codes and gain unauthorized access to Microsoft accounts without requiring passwords or bypassing traditional multifactor authentication (MFA) protections.
The agency explained that attackers send phishing emails impersonating trusted cloud services or document-sharing platforms. These emails contain a device code and instruct users to visit a Microsoft verification page to enter it. Once entered, the user unknowingly authorizes the attacker’s device, granting access to their Microsoft 365 account.
Security officials warned that this method allows attackers to capture OAuth access and refresh tokens, which can be used to access services such as Outlook, Teams, and OneDrive even without the user’s login credentials.
The FBI described Kali365 as an emerging phishing-as-a-service platform that provides cybercriminals with advanced tools, including AI-generated phishing templates, automated campaign systems, real-time monitoring dashboards, and token-capture capabilities. The platform is reportedly being sold on a subscription basis for around $250 per month, making sophisticated cyberattacks accessible to less technically skilled actors.
Officials noted that the scam is particularly dangerous because it does not rely on stolen passwords. Instead, it exploits device-code authentication workflows, allowing attackers to bypass MFA protections once a user is tricked into entering a code.
The FBI has advised users to avoid clicking unknown links or entering authentication codes that they did not personally request. It also urged individuals and organizations to report suspicious emails, unauthorized logins, and unfamiliar device activity to the Internet Crime Complaint Center (IC3), including relevant details such as email headers, login times, IP addresses, and locations.
Microsoft, in response, stated that it is working closely with cybersecurity agencies to combat phishing-as-a-service platforms and has previously disrupted similar cybercrime operations. The company emphasized that its Digital Crimes Unit continues to take action against tools designed to facilitate account takeover and data theft.
Authorities have urged heightened vigilance among Microsoft 365 users as cybercriminals continue to develop more advanced methods to bypass traditional security systems.
