{"slug": "fbi-sounds-alarm-on-phishing-tool-that-steals-microsoft-365-accounts-without", "title": "FBI sounds alarm on phishing tool that steals Microsoft 365 accounts without passwords", "summary": "The FBI warned that a new hacking platform called Kali365 is enabling cybercriminals to hijack Microsoft 365 accounts, including Outlook, Teams and OneDrive, while bypassing multi-factor authentication entirely. The bureau said the phishing-as-a-service toolkit exploits Microsoft's legitimate OAuth 2.0 device code system, tricking victims into entering a code on a real Microsoft login page that authorizes the attacker's device. The FBI advised organizations to deploy third-party security systems capable of detecting suspicious authentication activity tied to token theft.", "body_md": "# FBI sounds alarm on phishing tool that steals Microsoft 365 accounts without passwords\n\nSee more of our coverage in your search results.\n\n[Add The New York Post on Google](https://www.google.com/preferences/source?q=nypost.com)\n\nThe FBI is warning that a new hacking platform is allowing cybercriminals to hijack Microsoft 365 accounts — including Outlook, Teams and OneDrive — while bypassing multi-factor authentication entirely.\n\nThe bureau [posted a public service announcement last week](https://www.ic3.gov/PSA/2026/PSA260521) sounding the alarm about the “Phishing-as-a-Service” toolkit known as Kali365, which is being used to steal Microsoft 365 access tokens and gain entry to victim accounts without intercepting passwords.\n\nThe feds say that Kali365 makes it easy for even amateur hackers to run advanced phishing scams that used to require serious technical skills.\n\n“Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities,” the FBI warned.\n\nThe scheme exploits Microsoft’s legitimate OAuth 2.0 “device code” authentication system — a feature commonly used to log into smart TVs, streaming devices and other hardware with limited keyboards.\n\nRather than stealing passwords directly, attackers trick victims into entering a code on a real Microsoft login page, unknowingly authorizing the hacker’s device.\n\n“The device code flow is a legitimate authentication method that is being actively exploited by cybercriminals to bypass multi-factor authentication,” the FBI said in its advisory.\n\n“By tricking users into entering a device code on a legitimate Microsoft page, attackers can gain persistent access to accounts without ever needing the user’s credentials.”\n\nVictims receive phishing emails impersonating services like SharePoint, OneDrive or Microsoft Teams.\n\nThe emails instruct targets to visit Microsoft’s legitimate device login page and enter a short-lived authentication code.\n\nOnce the victim completes the process and passes MFA checks, Microsoft issues valid OAuth access and refresh tokens directly to the attacker.\n\nThat allows hackers to access Outlook inboxes, Teams accounts and cloud-stored files without ever needing the victim’s password again.\n\nThe FBI warned that attackers can maintain persistent access to accounts until the stolen tokens are manually revoked.\n\nMatt Burk, chief information security officer at Bespoke Concierge MD, told The Post the attacks have become increasingly effective because Microsoft’s widespread enforcement of multi-factor authentication has forced cybercriminals to adapt.\n\n“Since Microsoft has globally enforced MFA, this method of cyber attack is designed to bypass MFA and the need for a password,” he said.\n\nAsked which industries or employees are most vulnerable, Burk warned that virtually anyone using Microsoft 365 could be targeted.\n\n“I absolutely hate to generalize, but everyone from a small mom-and-pop business to a large Fortune 500 company,” he said.\n\nBurk added that organizations should deploy third-party Security Information and Event Management, or SIEM, systems capable of detecting suspicious authentication activity tied to token theft.\n\n“Using these tools can detect access like the Kali365 exploit and with the correct security features can automatically shut down the connection,” he said.\n\nOrdinary users should take the threat seriously because the attacks target cloud-based computing platforms used daily by businesses and consumers alike, according to the expert.\n\n“Everybody should be concerned with this exploit,” Burk said.\n\nCybersecurity researchers say the emergence of Kali365 marks a major escalation in the growing “phishing-as-a-service” underground economy, where sophisticated attack tools are sold to low-skilled criminals via subscription services on Telegram and dark web forums.\n\nThe bureau said Kali365 was first observed last month and has rapidly spread among cybercriminal groups.\n\nThe platform automates phishing campaigns and provides dashboards that allow attackers to monitor victims in real time.\n\nFederal authorities said the operation is part of a broader wave of attacks targeting Microsoft 365 environments globally.\n\nScattered Spider, also known as Octo Tempest, is a notorious English-speaking cybercrime group known for aggressive social engineering and SIM-swapping attacks targeting large corporations.\n\nAnother entity, Storm-2949, has focused on compromising IT administrators and senior executives through abuse of Microsoft password reset systems and cloud authentication tools.\n\nThe Post has sought comment from Microsoft.", "url": "https://wpnews.pro/news/fbi-sounds-alarm-on-phishing-tool-that-steals-microsoft-365-accounts-without", "canonical_source": "https://nypost.com/2026/05/28/business/fbi-sounds-alarm-on-phishing-tool-that-steals-microsoft-365-accounts/", "published_at": "2026-05-28 15:42:29+00:00", "updated_at": "2026-05-28 15:51:49.804314+00:00", "lang": "en", "topics": ["ai-tools", "ai-products", "ai-safety", "ai-policy", "ai-research"], "entities": ["FBI", "Microsoft 365", "Kali365", "Outlook", "Teams", "OneDrive", "OAuth 2.0", "The New York Post"], "alternates": {"html": "https://wpnews.pro/news/fbi-sounds-alarm-on-phishing-tool-that-steals-microsoft-365-accounts-without", "markdown": "https://wpnews.pro/news/fbi-sounds-alarm-on-phishing-tool-that-steals-microsoft-365-accounts-without.md", "text": "https://wpnews.pro/news/fbi-sounds-alarm-on-phishing-tool-that-steals-microsoft-365-accounts-without.txt", "jsonld": "https://wpnews.pro/news/fbi-sounds-alarm-on-phishing-tool-that-steals-microsoft-365-accounts-without.jsonld"}}