The security step many of us trust most may not protect us the way we think.The FBI is warning about an emerging phishing-as-a-service platform called Kali365.
It targets Microsoft 365 accounts, including Outlook, Teams and OneDrive.That alone sounds bad.The scarier part is how it works.
This scam can get into your account without stealing your password.Even with multifactor authentication turned on, one wrong device-code approval could give a criminal access.Here's how the scam works, why it can slip past MFA and what you can do to protect your Microsoft account.Sign up for my FREE CyberGuy ReportNEW FBI WARNING REVEALS PHISHING ATTACKS HITTING PRIVATE CHATSA fake device-code request can trick Microsoft 365 users into approving access without ever sharing a password.
(Kurt "CyberGuy" Knutsson)Kali365 is a phishing-as-a-service platform.In other words, crooks can subscribe to it and use ready-made tools to attack Microsoft 365 accounts.
The FBI says Kali365 was first seen in April 2026 and has mainly spread through Telegram.The platform gives attackers access to AI-generated phishing messages, automated campaign templates, tracking dashboards and tools that capture OAuth tokens.
That last part is the key.OAuth tokens are digital access keys.They can let an app stay connected to your Microsoft account without asking for your password every time.
They are useful when the right app uses them.They are dangerous when a scammer steals them.Most phishing scams try to steal your password.
Kali365 takes a different route.The attack abuses Microsoft's device code login process.
You may have seen something similar when signing into a streaming app on a smart TV.A screen shows a short code.
Then you enter that code on another device to approve the sign-in.That process is legitimate.The scam begins when a criminal starts the sign-in from their own device and tricks you into approving it.
You may see a phishing email that looks like it came from a trusted cloud service ...