
This is an important warning, especially if you use Microsoft 365, Outlook, Teams, or OneDrive for work or personal use.
What the FBI is warning about
Cybercriminals are using a phishing platform called Kali365 to trick users into granting access to their Microsoft 365 accounts without stealing their password. Instead, they exploit Microsoft’s legitimate device code login process and capture authentication (OAuth) tokens, allowing them to bypass repeated MFA prompts.
How the scam works
- You receive an email or Teams message that appears to come from a trusted source.
- The message asks you to review a document, voicemail, or file.
- It tells you to visit a real Microsoft login page and enter a device code.
- When you enter that code, you unknowingly authorize the attacker’s device.
- The attacker gains access to your Outlook, Teams, OneDrive, and other Microsoft 365 services—even though you never gave them your password.
Why this attack is dangerous
Unlike traditional phishing attacks:
- ✅ The Microsoft website is real.
- ✅ The URL looks legitimate.
- ✅ Your password manager may not detect anything wrong.
- ❌ The attacker tricks you into approving access.
This is why even users with multifactor authentication (MFA) can be affected. MFA itself isn’t broken—the attacker manipulates the user into completing the authentication.
How to protect yourself
- Never enter a Microsoft device code unless you initiated the sign-in.
- Ignore unexpected requests to enter device codes from email, Teams, or text messages.
- Go directly to Microsoft’s sign-in page instead of clicking links in emails.
- Regularly review your Microsoft account’s recent sign-ins and connected devices.
- Continue using MFA—it remains one of the best defenses against most attacks.
- If you’re an IT administrator, consider restricting device-code authentication where it isn’t needed and monitor for unusual sign-in activity.
If you think you’ve already been tricked
Take these steps immediately:
- Sign out of all Microsoft 365 sessions.
- Change your Microsoft account password.
- Review recent sign-in activity.
- Remove any unfamiliar devices or apps with account access.
- Check Outlook for unauthorized forwarding rules or inbox rules.
- Notify your IT department if it’s a work account.
- Report the incident to the FBI’s Internet Crime Complaint Center (IC3).