The Federal Bureau of Investigation is warning businesses and individuals about a fast-spreading scam that can break into Microsoft 365 accounts without ever stealing a password, and without being stopped by the extra security code that millions of people rely on to stay safe. In a public service announcement issued through its Internet Crime Complaint Center, the FBI described a criminal toolkit called Kali365 that hijacks accounts for Outlook, Teams and OneDrive, and the alert has drawn renewed attention this weekend as security experts urge users to take it seriously. What makes the warning unusual is that the scam defeats multifactor authentication, the second step, often a code or app prompt, that businesses have spent years pushing everyone to turn on.
The reason it works is unsettling: the attack does not rely on a fake website or a misspelled web address. Instead, it abuses a legitimate Microsoft feature. Many people have used it without realizing it—the short code you type into a website to sign in to a streaming service on a smart TV. In this scam, the victim receives an email dressed up as a notification from a trusted file-sharing or collaboration tool, containing a code and instructions to enter it on a genuine Microsoft verification page. Because the page really is Microsoft’s own, the web address looks correct and a password manager raises no objection, so the victim has little reason to be suspicious. But entering that code can unknowingly authorize the criminal’s device, handing the attacker the digital tokens Microsoft uses to remember that someone has already logged in.
Once the attacker has those tokens, they can reach Outlook, Teams and OneDrive without a password and without ever facing another security prompt, and they can keep that access for as long as the tokens remain valid. The FBI describes the technique as a way to establish persistence, meaning the intruder can quietly stay inside an account, often blending in with normal activity. Crucially, the victim in these cases had multifactor authentication switched on. The protection still did its job in one sense—it stopped anyone from logging in as the victim—but it does nothing to stop a victim from approving access through a process Microsoft considers entirely legitimate.
For companies, that access can amount to the keys to the whole business. Kali365 is sold as “phishing-as-a-service,” a subscription product rented out to criminals much like ordinary software, distributed largely through the messaging app Telegram. The FBI says it lowers the barrier to entry, giving even unsophisticated attackers ready-made, AI-generated lures, automated campaign templates and dashboards to track their targets. Andrea Sivieri, an executive at the security firm CoreView, captured the shift by noting that attackers are no longer breaking into Microsoft 365 so much as simply logging in. There is no software flaw to patch, because nothing is technically broken.
The business stakes are high precisely because nothing about the intrusion looks like a classic hack. Once inside an inbox, a criminal can read contracts, impersonate executives and try to redirect wire transfers, a costly form of fraud known as business email compromise. Inside OneDrive and SharePoint, they can copy customer records, financial data and intellectual property, and inside Teams they can monitor internal conversations to time their next move. Security researchers documented hundreds of these attacks in April alone, striking organizations across North America and Europe in industries including manufacturing, finance, healthcare, insurance, education and government.
The good news is that the scam is avoidable once people know the warning signs. The single most important rule, security experts say, is to never enter a Microsoft sign-in code just because an email tells you to. A code should only be entered when you yourself started the sign-in on your own device. Be especially wary of unexpected requests to enter a code to view a document, voicemail, invoice or shared file you did not ask for, and treat any message that pushes you to act fast with suspicion.
For businesses, the FBI recommends stronger steps: restricting or blocking the device sign-in feature for most users through a conditional access policy in Microsoft Entra ID, blocking authentication transfers, and rolling out phishing-resistant logins such as hardware security keys, which tie access to a physical device that is far harder to trick. A Microsoft spokesperson said security teams should follow the FBI’s guidance. Anyone who believes they have been targeted can report it to the FBI at ic3.gov. In an era when multifactor authentication has become the baseline of online security, the warning is a reminder that no single safeguard is foolproof, and that a moment’s caution before typing in a code can prevent a costly breach.
JBizNews Desk | New York
© JBizNews.com All Rights Reserved. Reproduction or distribution without written permission is prohibited.
