news

New Phishing Tool Lets Hackers Access Microsoft Accounts

Posted by

Ryan Kennedy

May 29, 2026

On May 29, 2026

The FBI is warning about a new phishing platform that allows cybercriminals to hijack Microsoft 365 accounts and bypass multi-factor authentication protections.

In a public safety announcement issued May 21, the FBI said the phishing-as-a-service platform known as Kali365 is being used to steal Microsoft 365 access tokens, giving attackers access to services such as Outlook, Teams and OneDrive without needing victims’ passwords.

The FBI said the tool was first observed in April and has primarily been distributed through Telegram, where it is reportedly offered for as little as $250 per month.

According to the FBI, victims receive phishing emails posing as SharePoint, OneDrive or Microsoft Teams notifications that direct them to Microsoft’s legitimate device login page and instruct them to enter a temporary authentication code.

Once the victim completes the process and passes multi-factor authentication checks, Microsoft issues OAuth access and refresh tokens directly to the attackers, allowing them to access Outlook inboxes, Teams accounts and cloud-stored files without needing the victim’s password.

Once the tokens are compromised, attackers can continue accessing Microsoft services without repeatedly logging in as long as the token remains active.

Matt Burk, chief information security officer at Bespoke Concierge MD, told the New York Post that nearly anyone using Microsoft 365 could be vulnerable to the attacks.

“I absolutely hate to generalize, but everyone from a small mom-and-pop business to a large Fortune 500 company,” he said. “Everybody should be concerned with this exploit.”

Burk advised organizations to use third-party Security Information and Event Management systems to detect suspicious authentication activity linked to token theft. “Using these tools can detect access like the Kali365 exploit and with the correct security features can automatically shut down the connection,” he said.

To protect against the attack, the FBI said organizations should create a conditional access policy to block device code flow for all users, with limited exceptions for required business processes.

It also advised auditing existing device code flow usage to identify legitimate dependencies before implementing such a policy.

The bureau also recommended blocking authentication transfer policies to prevent users from transferring authentication from computers to mobile devices. If device code flow cannot be fully restricted, the FBI said emergency access accounts should be excluded to prevent lockouts.

The FBI urged users to report suspicious login attempts, phishing emails, unauthorized devices or active sessions added to accounts to the Internet Crime Complaint Center.

Meanwhile, Microsoft said it is “actively working to disrupt the cybercriminal ecosystems behind phishing-as-a-service and account takeover activity to protect our customers.”

Additional Security Measures and Broader Implications

Beyond the immediate technical recommendations, cybersecurity experts emphasize the importance of user education as a critical layer of defense. Many organizations are now implementing mandatory training programs that simulate Kali365-style attacks, teaching employees to scrutinize unexpected SharePoint or Teams notifications, especially those prompting device code authentication.

“Phishing-as-a-service platforms like Kali365 represent the industrialization of cybercrime,” said Dr. Elena Vargas, a senior threat analyst at CyberGuard Analytics. “What once required sophisticated technical skills can now be purchased for the price of a monthly gym membership. This democratization of attack tools dramatically increases the volume and frequency of attempts across all sectors.”

The financial impact of such breaches can be severe. Compromised Microsoft 365 accounts often lead to business email compromise (BEC) scams, data exfiltration, and ransomware deployment. According to recent industry reports, average costs associated with Microsoft 365 account takeovers exceed $1.2 million per incident when factoring in remediation, legal fees, and lost productivity. Small and medium businesses are particularly vulnerable due to limited security resources, making the $250 monthly subscription fee for Kali365 an attractive investment for cybercriminals seeking high returns.

Organizations should also consider adopting passwordless authentication methods where feasible, such as FIDO2 security keys or biometric solutions, which are generally more resistant to token theft than traditional MFA setups. Regular token audits and short-lived access tokens can further limit the window of opportunity for attackers even if initial compromise occurs.

Looking ahead, the rise of platforms like Kali365 signals an evolving threat landscape where attackers increasingly target identity infrastructure rather than individual credentials. The FBI and Microsoft have indicated they are collaborating with industry partners to takedown related Telegram channels and disrupt payment flows to these services. However, experts warn that new variants will likely emerge quickly.

In the meantime, vigilance remains essential. Users should enable sign-in notifications, regularly review active sessions in their Microsoft accounts, and avoid clicking links in unsolicited emails—even those that appear to come from trusted services. By combining technical controls with heightened awareness, businesses and individuals can significantly reduce their exposure to these sophisticated token-based attacks.

The cybersecurity community continues to stress that while tools like Kali365 lower the barrier to entry for criminals, robust layered defenses and proactive monitoring can effectively neutralize most threats.