When the Federal Bureau of Investigation (FBI) publishes a dedicated public service announcement about a new phishing kit, it’s worth paying attention to.
The agency is now warning about “Kali365,” a phishing‑as‑a‑service (PhaaS) platform that helps even low‑skilled attackers hijack Microsoft 365 accounts by stealing access tokens instead of passwords.
Although early reporting focuses on attacks against organizations, the underlying technique works just as easily against individual Microsoft 365 users who are tricked into entering a short code on a real Microsoft website. In other words, this is not just a business or IT department problem. It could affect anyone with an Outlook, OneDrive, or Microsoft 365 subscription.
For cybercriminals using the kit, it offers three clear advantages:
- It bypasses multi‑factor authentication (MFA) by stealing access tokens, so extra codes or apps no longer help once the token is compromised.
- Kali365 provides ongoing access. The attackers can keep using Outlook, Teams, and OneDrive without repeatedly logging in, as long as the stolen refresh token remains valid.
- Little technical skill needed. Cybercriminals can subscribe to Kali365 and immediately run token‑stealing campaigns at scale.
What does the attack look like?
Victims receive a phishing message that looks like it comes from a cloud service or collaboration tool, such as a document‑sharing notification or Teams invite. The message includes a short “device code” and instructions like: “Go to Microsoft’s verification page and enter this code to view the document.”
Scam or legit? Scam Guard knows.
Unlike many phishing emails, this one sends you to a real Microsoft URL used for device sign‑in flows. To the user, the page looks familiar and completely legitimate, which lowers suspicion.
Victims then see the standard Microsoft sign‑in and consent screens and may think they are simply completing a normal security check. They never see a fake page, never type their password into a suspicious form, and may even see their organization’s branding.
But what they don’t realize is that they have handed access to the attacker.
Once the victim approves the request, the attacker’s device receives OAuth access and refresh tokens tied to the victim’s Microsoft 365 account. These tokens are what Microsoft uses to “remember” that you have already logged in, and they can be reused to access Outlook, OneDrive, Teams, and other Microsoft services without entering a password again.
With valid refresh tokens, attackers can maintain long‑term access until the tokens are revoked or expire, often blending in with normal account activity.
That access can allow cybercriminals to:
- Read Outlook emails, including password reset messages
- Access files stored in OneDrive or SharePoint
- Send phishing emails to coworkers, customers, friends, or family from the victim’s account
How to protect yourself
Once in Outlook, attackers can not only read your messages but also send convincing new ones from your address, using your identity to compromise additional accounts and contacts.
Some tips to steer clear of this one:
- Never enter a code at a Microsoft login page just because an email or message tells you to. You should only do this when you initiated the sign‑in yourself on your own device.
- Slow down and read the prompts. Rushing through login approvals without reading them carefully can be costly.
- Be suspicious of unexpected document shares, Teams invites, or login requests, even if they use legitimate Microsoft pages.
- Review which devices are logged in under your account at https://account.microsoft.com/devices/. If you see unfamiliar devices or sign‑ins, remove them, change your Microsoft account password, and review your security settings.
Pro tip: Malwarebytes Scam Guard can help you figure out if a message is a scam.
Let’s face it, an incognito window can only do so much.
Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protection monitors for all of it, alerts you fast, and comes with identity theft insurance.
