FBI Warns Microsoft 365 Users to Stay Vigilant
The United States Federal Bureau of Investigation (FBI) issued a new warning to Microsoft 365 users regarding an AI-powered cyberattack. The agency stated the attack, dubbed ‘Kali365’, can steal account access without needing the victim’s password directly. In a public service announcement released on 21 May 2026, the FBI said the attack method was first detected in April 2026 and is now widely deployed via Phishing-as-a-Service (PhaaS). PhaaS is a cyberattack model sold or rented to other actors. The FBI explained Kali365 allows attackers to obtain Microsoft 365 access tokens and bypass multi-factor authentication (MFA). How does the attack work? The FBI explained it starts with phishing emails disguised as trusted cloud productivity or document-sharing services. The Kali365 platform is distributed via Telegram to cybercriminals, but the scam against victims is carried out through phishing emails. In the email, victims receive a device code and instructions to visit a legitimate Microsoft verification page and enter the code. As the page is a genuine Microsoft site, victims may assume the process is secure. However, once the code is entered, the victim’s OAuth authentication token is sent to the attackers. With this token, hackers can access the victim’s Microsoft 365 account via their own devices without needing the password or additional MFA verification. The FBI warned that once access is gained, attackers can access various Microsoft 365 services such as Outlook, Teams, and OneDrive.