Technologyfbi alert outlook onedrive
Summary (tl;dr)
The Federal Bureau of Investigation (FBI) has issued a warning regarding "Kali365," a new phishing-as-a-service platform that enables cybercriminals to bypass multi-factor authentication and gain unauthorized access to Microsoft 365 accounts, including Outlook, Teams, and OneDrive.
Essential Background
Phishing is a common cybercrime technique where attackers attempt to trick individuals into revealing sensitive information, often through deceptive emails or websites. Multi-factor authentication (MFA) adds an extra layer of security by requiring users to provide two or more verification factors to gain access, making it significantly harder for unauthorized individuals to log in even if they have a password. Recently, sophisticated "phishing-as-a-service" (PhaaS) platforms have emerged, which provide less technical attackers with ready-to-use tools and infrastructure to conduct large-scale phishing campaigns.
The Full Story
On May 21, the FBI issued a Public Service Announcement alerting the public to Kali365, a new PhaaS platform first observed in April 2026. This platform, distributed primarily via Telegram, allows cybercriminals to obtain Microsoft 365 access tokens and bypass MFA protocols without intercepting a user's password. The scam works by sending phishing emails that impersonate legitimate cloud productivity and document-sharing services. These emails contain a device code and instructions for the recipient to visit a genuine Microsoft verification page and enter the code. Unbeknownst to the victim, entering this code unknowingly authorizes the attacker's device to access their account, allowing the attacker to capture OAuth access and refresh tokens. With these tokens, cybercriminals can then access Microsoft 365 services like Outlook, Teams, and OneDrive without needing a password or completing any further MFA challenges. The FBI notes that Kali365 lowers the barrier of entry for attackers by providing AI-generated phishing lures, automated campaign templates, and real-time tracking dashboards.
Why It Matters
This trend is significant because it allows less-technical cybercriminals to conduct highly effective attacks that circumvent what many consider a strong security measure: multi-factor authentication. Once access is gained, attackers can engage in various malicious activities, including data theft, fraud, extortion, and ransomware attacks. The use of legitimate Microsoft infrastructure in the scam makes it particularly difficult for victims to detect. The FBI recommends that organizations implement Conditional Access policies to block device code flow for most users and audit existing usage to identify legitimate dependencies. Individuals are advised to be cautious of unsolicited emails that prompt action or include links, and to verify the validity of emails before clicking on anything.
Geographic Location
- FBI Headquarters, Washington, D.C., District of Columbia, United States (issuance of public service announcement regarding Kali365 phishing scam)