Phishing scams targeting Microsoft 365 users have become more sophisticated, according to a recent FBI warning. This new threat, known as Kali365, allows criminals to exploit the login process without the need to steal passwords. Instead, they trick users into approving access, even when multifactor authentication (MFA) is enabled.
Kali365 operates as a phishing-as-a-service platform, which means that thieves can use ready-made tools to attack Microsoft accounts. It first appeared in April 2026 and spreads mainly through Telegram. Attackers use AI-generated messages and legitimate-looking emails to trick users into entering a device code on a real Microsoft verification page.
This method is particularly dangerous because it can bypass traditional security measures. If a user mistakenly approves a sign-in request, the attacker gains access to sensitive information without needing the password.
The FBI has advised individuals and businesses to be vigilant. They recommend not entering device codes unless users have initiated the sign-in process themselves. Users should also verify any request through official channels by visiting the Microsoft website directly, rather than clicking on links in unexpected emails.
Microsoft is taking steps to combat these scams, working to disrupt phishing networks and recommending best practices to its users. They continue to encourage all customers to remain alert and to follow security guidelines to help keep their accounts safe.
