If you use Microsoft 365 for work or personal tasks, you need to read this. The FBI officially warned the public in May 2026 about a phishing scam called Kali365. It targets everyday apps like Outlook, Teams, and OneDrive. And it can break into your account without ever needing your password.
This is not a vague or distant threat. So let us walk through exactly what it is, how it works, and what you should do about it.
Table of Contents
What Is the Kali365 Scam?
Kali365 is a phishing kit that first appeared in April 2026. On May 21, the FBI released a formal Public Service Announcement to warn people across the United States. The tool has been spreading through Telegram and is being sold as a subscription service to cybercriminals.
That last part is important. Because Kali365 is sold as a service, a person with very little technical knowledge can buy access and start attacking others almost immediately. They get AI-generated phishing emails, automated attack templates, and live dashboards that track their targets in real time.
In other words, launching a convincing phishing campaign no longer requires skill. It just requires a subscription. That is what makes this scam so much more widespread than older attacks.
How the Attack Works Step by Step
The whole process is designed to look completely normal. That is what makes it so effective.
First, you receive an email. It appears to come from a cloud service you already use and trust, such as a document-sharing or productivity platform. The email includes a short device code and asks you to visit a real Microsoft verification page to enter it.
Second, you go to that page. Because it is a real Microsoft page, nothing looks suspicious. You paste in the code, thinking you are completing a routine step.
Third, the attacker quietly captures your OAuth access token and refresh token in the background. These two digital keys let someone stay logged into your Microsoft account. Once the attacker has them, they can access your account whenever they want.
Fourth, the attacker is now inside. They can read your Outlook emails, join your Teams chats, and open your OneDrive files. Moreover, they can keep doing this without needing your password or completing any additional verification steps.
This is what the FBI calls the “persistence” phase. The attacker stays connected silently, and most users never realize anything went wrong.
Why Multi-Factor Authentication Does Not Stop This
Many people believe that turning on two-step verification makes their account fully secure. Unfortunately, that is not the case here.
Kali365 bypasses multi-factor authentication entirely. The reason is that it does not steal your password at all. Instead, it steals the session token that Microsoft gives your device after you log in. As a result, the normal verification process is never triggered again.
This is a key difference from older phishing attacks. Traditional scams tried to trick you into typing your password on a fake website. Kali365, however, skips that step and goes straight for the token. That makes it much harder to catch and much harder to stop after the fact.
What Is Phishing — and How Is It Different from Smishing?
Since this topic comes up a lot, it is worth clearing up the difference between two common terms.
Phishing happens through email. An attacker pretends to be a trusted company or person and tricks you into giving up information or clicking something harmful. Kali365 falls into this category.
Smishing is the same idea, but it arrives through text messages on your phone. Both types of attacks try to manipulate you into doing something that benefits the attacker.
Knowing the difference helps you stay alert no matter how you receive messages. Whether it is an email or a text, the goal is always the same — to get you to act without thinking.
How to Tell If an Email Is Fake
Even though Kali365 uses AI to write more polished emails, there are still warning signs to look out for. Here are some common clues that an email might not be legitimate:
- The greeting is generic, such as “Dear Customer” rather than your actual name
- The message says your account is on hold or needs urgent action right away
- There is a code, link, or attachment asking you to do something immediately
- The sender’s email address looks slightly off or unfamiliar when you check it closely
- Your email provider flags the message as external or unverified
If any of these apply, do not enter any codes or click any links. Instead, go directly to the company’s official website on your own and check your account from there.
Steps to Protect Your Account
The FBI outlined several protective steps that can reduce your risk. Some of these are settings your IT team can handle. Others are good habits anyone can build right away.
Key steps recommended by the FBI:
- Set up a conditional access policy that blocks device code flow for most users, with only limited exceptions for real business needs
- Review your current device code usage first, so you do not accidentally disrupt important systems that rely on it
- Block the ability to transfer login sessions from computers to mobile phones
- Keep emergency access accounts separate so you do not lock yourself out while making changes
Beyond those technical steps, it also helps to check your Microsoft Secure Score to get a clearer picture of where your account stands. And if you did not start a verification process yourself, do not complete one that lands in your inbox.
Microsoft Has Responded — But the Threat Continues
Microsoft has publicly acknowledged this threat. The company pointed users toward the FBI guidance and noted that its Digital Crimes Unit has previously shut down similar tools, including one called RaccoonO365. Even so, Kali365 is still active and being used against real people right now. Some users have started looking into free Microsoft Office alternatives as they rethink their current setup.
What to Do If You Were Already Targeted
If you think you may have fallen for this scam, act quickly. Gather as much information as you can, including the phishing email you received, any unusual login activity in your account, and any unfamiliar devices or sessions you notice. Then report everything to the FBI’s Internet Crime Complaint Center at ic3.gov.
The more detail you provide, the more helpful your report will be for investigators working to shut this down.
Final Thought
Kali365 is a reminder that online threats keep evolving. Strong passwords and two-step verification are still important. But they are no longer enough on their own. Staying safe today also means knowing how these attacks work, staying alert to unusual emails, and acting fast if something feels off.
Take a few minutes this week to review your Microsoft account settings. The FBI also shared this on Instagram if you want to pass it along to someone who needs to see it. And if an email ever asks you to enter a code you were not expecting, stop and question it.
Based on the FBI’s Public Service Announcement issued May 21, 2026, regarding the Kali365 Phishing-as-a-Service platform.
