The FBI is warning that a new hacking platform is allowing cybercriminals to hijack Microsoft 365 accounts — including Outlook, Teams and OneDrive — while bypassing multi-factor authentication entirely.
The bureau posted a public service announcement last week sounding the alarm about the “Phishing-as-a-Service” toolkit known as Kali365, which is being used to steal Microsoft 365 access tokens and gain entry to victim accounts without intercepting passwords.
The feds say that Kali365 makes it easy for even amateur hackers to run advanced phishing scams that used to require serious technical skills.
“Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities,” the FBI warned.
The scheme exploits Microsoft’s legitimate OAuth 2.0 “device code” authentication system — a feature commonly used to log into smart TVs, streaming devices and other hardware with limited keyboards.
Rather than stealing passwords directly, attackers trick victims into entering a code on a real Microsoft login page, unknowingly authorizing the hacker’s device.
“The device code flow is a legitimate authentication method that is being actively exploited by cybercriminals to bypass multi-factor authentication,” the FBI said in its advisory.
“By tricking users into entering a device code on a legitimate Microsoft page, attackers can gain persistent access to accounts without ever needing the user’s credentials.”
Victims receive phishing emails impersonating services like SharePoint, OneDrive or Microsoft Teams.
The emails instruct targets to visit Microsoft’s legitimate device login page and enter a short-lived authentication code.
Once the victim completes the process and passes MFA checks, Microsoft issues valid OAuth access and refresh tokens directly to the attacker.
That allows hackers to access Outlook inboxes, Teams accounts and cloud-stored files without ever needing the victim’s password again.
The FBI warned that attackers can maintain persistent access to accounts until the stolen tokens are manually revoked.
Cybersecurity researchers say the emergence of Kali365 marks a major escalation in the growing “phishing-as-a-service” underground economy, where sophisticated attack tools are sold to low-skilled criminals via subscription services on Telegram and dark web forums.
The bureau said Kali365 was first observed last month and has rapidly spread among cybercriminal groups.
The platform automates phishing campaigns and provides dashboards that allow attackers to monitor victims in real time.
Federal authorities said the operation is part of a broader wave of attacks targeting Microsoft 365 environments globally.
Scattered Spider, also known as Octo Tempest, is a notorious English-speaking cybercrime group known for aggressive social engineering and SIM-swapping attacks targeting large corporations.
Another entity, Storm-2949, has focused on compromising IT administrators and senior executives through abuse of Microsoft password reset systems and cloud authentication tools.
The Post has sought comment from Microsoft.
