UpTrajectory Review
The FBI has issued a warning about a new phishing threat targeting Microsoft 365 users, specifically through a platform called Kali365. This scheme allows cybercriminals to bypass multifactor authentication by capturing OAuth device codes, which are digital keys that grant access without needing a password. With the rise of this sophisticated attack method, small business owners must be vigilant about their cybersecurity practices.
For small business operators, this warning is particularly urgent. The ease with which attackers can exploit this vulnerability means that even less technically skilled criminals can launch effective phishing campaigns. As these attacks proliferate, it's crucial for businesses to educate employees about recognizing phishing attempts and to implement robust security measures beyond just relying on multifactor authentication. Regular training and updates on cybersecurity practices can help mitigate these risks.
“Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures.” — Fast Company
Takeaway: Enhance employee training on phishing threats to protect against sophisticated attacks like Kali365.
From the original item — Fast Company:
The security measure millions rely on to protect their accounts may not be as foolproof as they think.
The Federal Bureau of Investigation is warning the public about a fast-spreading scam targeting users of popular Microsoft 365 products, including Outlook, Teams, and OneDrive. The scheme allows cybercriminals to capture Microsoft authentication tokens, bypassing multifactor authentication without needing a user’s password.
At the center of the scheme is a hacking platform called Kali365. Unlike traditional phishing attacks that rely on stealing credentials, Kali365 targets OAuth device codes—digital keys that allow applications to access data without requiring a password—giving cybercriminals access to Microsoft 365 accounts and a wide range of sensitive information.
The subscription-based service, which was first spotted in April 2026, has been promoted largely through Telegram and, according to Bitdefender, is available to scammers for as little as $250 per month or $2,000 a year.
What makes the threat particularly alarming is that it can gain access to a user’s account without a password. “Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities,” the FBI said.
With security researchers reporting hundreds of Kali365 attacks in April alone, the threat is already materializing.
The attack follows a deceptively simple sequence. A victim receives a phishing email designed to look like it came from a trusted cloud service. The email contains a device code and instructs the recipient to visit a legitimate Microsoft verification page to enter it.
The moment the user does this, the user has unknowingly handed the attacker full access to their account.
Once the code is entered, the attacker captures the OAuth access token, granting them full entry into the victim’s Microsoft 365 account. From there, they can freely navigate Outlook, Teams, and OneDrive without ever needing a password or completing any additional authentication steps.
What makes the scam particularly convincing is that there is no fake website to spot and no misspelled domain name, making it difficult for a user to distinguish the phishing attempt from a legitimate request.
“This phishing scam is getting more sophisticated by the day, with AI-generated lures and automated templates,” one user wrote in response to the FBI’s warning.
However, the FBI says there are steps users can take to protect themselves, including not opening any links with access codes that you didn’t request. Additionally, those who have been affected by the Kali365 phishing kit can file a complaint with the Internet Crime Complaint Center.
—Amaya Nichole, News Writer
This article originally appeared on Fast Company’s sister website, Inc.com.
Inc. is the voice of the American entrepreneur. We inspire, inform, and document the most fascinating people in business: the risk-takers, the innovators, and the ultra-driven go-getters that represent the most dynamic force in the American economy.