FBI Warns of Kali365 Phishing Scam Bypassing Microsoft 365 Two-Factor Authentication

The FBI has issued a serious warning about a new sophisticated phishing platform called Kali365 that threatens Microsoft 365 accounts worldwide. This platform bypasses two-factor authentication (MFA), which is typically considered a strong security measure, allowing hackers full access to critical services such as Outlook, Teams, and OneDrive.

Kali365 operates by exploiting the legitimate device code approval process rather than stealing passwords. Attackers initiate a login from their device and send a fake approval request to the victim, often via a convincing phishing email. The victim is redirected to a genuine Microsoft authentication page where, unknowingly, they approve the attacker’s access. This approval enables the attackers to steal OAuth access tokens, granting them complete control over the account without needing passwords or additional verification.

This method exposes sensitive information including emails, shared files, and chats, and allows attackers to impersonate users to conduct sophisticated frauds, particularly targeting small businesses. The FBI highlights warning signs such as unexpected device code requests, urgent messages pressuring quick action, and requests that do not match the user’s activity. Users are advised not to enter codes if they did not initiate a login and to access Microsoft portals directly rather than through suspicious links. Disabling two-factor authentication is strongly discouraged.

Microsoft responded by recommending customers follow the FBI’s guidance and implement best practices to defend against such scams. The company also stated it is actively working to disrupt cybercriminal operations. For businesses, the FBI advises restricting device code flows, blocking authentication forwarding policies, and carefully auditing legitimate business needs for such access.