Think your Microsoft 365 account is safe? This new scam may prove otherwise
A new phishing scam called Kali365 is targeting Microsoft 365 users by abusing Microsoft's own authentication system. Here's how the attack works, why security experts are concerned, and what users should do to stay protected.
Published By: Divya | Published: Jun 16, 2026, 07:46 PM (IST)
Think your Microsoft 365 account is safe because you use two-factor authentication? A new phishing scam suggests that may not always be enough.
A cybercrime platform called Kali365 is reportedly being used to target Microsoft 365 users worldwide, including businesses, professionals and enterprises that rely on Outlook, Teams and OneDrive. This comes after the threat has recently come to the attention of the FBI, which issued a warning about the scam's ability to bypass certain security protections.
What is Kali365?
According to the reports, Kali365 is said to be what cybersecurity experts call a "Phishing-as-a-Service" platform. In simple terms, it is a ready-made toolkit that allows cybercriminals to launch phishing attacks without needing advanced technical skills.
The platform reportedly offers automated phishing campaigns, AI-generated email lures and tools that help attackers track potential victims. According to reports, the service is even being advertised through Telegram channels and is available through a subscription model. What makes Kali365 different is that it focuses on stealing authentication tokens instead of passwords.
How does the scam work?
The phishing email is designed to look like it comes from a reliable service, however. It might appear to be an invoice, meeting request, document sharing request, or file access request. The email has a code for customers to verify their identify on the official Microsoft login page. To the user's eye everything seems to be alright as users are taken to a real Microsoft website and not a fake login page.
This is where the magic happens. What the victim types in is actually sending information to the attacker's session. When the user has authenticated, Microsoft sends access tokens to the attacker rather than the victim's device.
What happens after that? Cybercriminals can access Microsoft 365 services without ever needing the user's password once again.
Why is it difficult to spot?
For years, users were told to look out for fake websites, suspicious links and spelling mistakes. Kali365 removes many of those red flags. The login page is genuine. The authentication process is genuine. Even multi-factor authentication works exactly as intended. The problem is that users are unknowingly approving access for someone else.
That makes these attacks harder to identify compared to traditional phishing scams.
How can you stay safe?
- The FBI advises all users to be cautious about unexpected authentication code requests, even if they lead to legitimate Microsoft websites.
- If you receive a request to enter a device code for a document, invoice or shared file that you weren't expecting, treat it as suspicious.
- Before approving any login request, check what application is asking for access and whether you actually initiated the action.
- For organisations, experts recommend limiting device-code authentication wherever possible and monitoring unusual sign-in activity.
And what if you have already been affected? Then you should immediately review active sessions, revoke suspicious device access and change account credentials. Also, make sure to file online complaint as soon as possible.
Get latest Tech and Auto news from Techlusive on our WhatsApp Channel, Facebook, X (Twitter), Instagram and YouTube.