The FBI is warning that a new hacking platform is allowing cybercriminals to hijack Microsoft 365 accounts — including Outlook, Teams and OneDrive — while bypassing multi-factor authentication entirely.
The bureau posted a public service announcement last week sounding the alarm about the “Phishing-as-a-Service” toolkit known as Kali365, which is being used to steal Microsoft 365 access tokens and gain entry to victim accounts without intercepting passwords.
The feds say that Kali365 makes it easy for even amateur hackers to run advanced phishing scams that used to require serious technical skills.
“Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities,” the FBI warned.
The scheme exploits Microsoft’s legitimate OAuth 2.0 “device code” authentication system — a feature commonly used to log into smart TVs, streaming devices and other hardware with limited keyboards.
Rather than stealing passwords directly, attackers trick victims into entering a code on a real Microsoft login page, unknowingly authorizing the hacker’s device.
“The device code flow is a legitimate authentication method that is being actively exploited by cybercriminals to bypass multi-factor authentication,” the FBI said in its advisory.
“By tricking users into entering a device code on a legitimate Microsoft page, attackers can gain persistent access to accounts without ever needing the user’s credentials.”
Victims receive phishing emails impersonating services like SharePoint, OneDrive or Microsoft Teams.
The emails instruct targets to visit Microsoft’s legitimate device login page and enter a short-lived authentication code.
Once the victim completes the process and passes MFA checks, Microsoft issues valid OAuth access and refresh tokens directly to the attacker.
That allows hackers to access Outlook inboxes, Teams accounts and cloud-stored files without ever needing the victim’s password again.
The FBI warned that attackers can maintain persistent access to accounts until the stolen tokens are manually revoked.
Matt Burk, chief information security officer at Bespoke Concierge MD, told The Post the attacks have become increasingly effective because Microsoft’s widespread enforcement of multi-factor authentication has forced cybercriminals to adapt.
“Since Microsoft has globally enforced MFA, this method of cyber attack is designed to bypass MFA and the need for a password,” he said.
Asked which industries or employees are most vulnerable, Burk warned that virtually anyone using Microsoft 365 could be targeted.
“I absolutely hate to generalize, but everyone from a small mom-and-pop business to a large Fortune 500 company,” he said.
Burk added that organizations should deploy third-party Security Information and Event Management, or SIEM, systems capable of detecting suspicious authentication activity tied to token theft.
“Using these tools can detect access like the Kali365 exploit and with the correct security features can automatically shut down the connection,” he said.
Ordinary users should take the threat seriously because the attacks target cloud-based computing platforms used daily by businesses and consumers alike, according to the expert.
“Everybody should be concerned with this exploit,” Burk said.
Cybersecurity researchers say the emergence of Kali365 marks a major escalation in the growing “phishing-as-a-service” underground economy, where sophisticated attack tools are sold to low-skilled criminals via subscription services on Telegram and dark web forums.
The bureau said Kali365 was first observed last month and has rapidly spread among cybercriminal groups.
The platform automates phishing campaigns and provides dashboards that allow attackers to monitor victims in real time.
Federal authorities said the operation is part of a broader wave of attacks targeting Microsoft 365 environments globally.
Scattered Spider, also known as Octo Tempest, is a notorious English-speaking cybercrime group known for aggressive social engineering and SIM-swapping attacks targeting large corporations.
Another entity, Storm-2949, has focused on compromising IT administrators and senior executives through abuse of Microsoft password reset systems and cloud authentication tools.
The Post has sought comment from Microsoft.
