FBI warns Microsoft users about passwordless scam

The information measurement galore of america spot astir whitethorn not support america the mode we think. The FBI is informing astir an emerging phishing-as-a-service level called Kali365. It targets Microsoft 365 accounts, including Outlook, Teams and OneDrive.

That unsocial sounds bad. The scarier portion is however it works. This scam tin get into your relationship without stealing your password. Even with multifactor authentication turned on, 1 incorrect device-code support could springiness a transgression access.

Here's however the scam works, wherefore it tin gaffe past MFA and what you tin bash to support your Microsoft account.

Sign up for my FREE CyberGuy Report

• Get my champion tech tips, urgent information alerts and exclusive deals delivered consecutive to your inbox.
• For simple, real-world ways to spot scams aboriginal and enactment protected, sojourn CyberGuy.com - trusted by millions who ticker CyberGuy connected TV daily.
• Plus, you'll get instant entree to my Ultimate Scam Survival Guide escaped erstwhile you join.

NEW FBI WARNING REVEALS PHISHING ATTACKS HITTING PRIVATE CHATS

A fake device-code petition tin instrumentality Microsoft 365 users into approving entree without ever sharing a password. (Kurt "CyberGuy" Knutsson)

How Kali365 tricks Microsoft users

Kali365 is simply a phishing-as-a-service platform. In different words, crooks tin subscribe to it and usage ready-made tools to onslaught Microsoft 365 accounts. The FBI says Kali365 was archetypal seen successful April 2026 and has chiefly dispersed done Telegram. The level gives attackers entree to AI-generated phishing messages, automated run templates, tracking dashboards and tools that seizure OAuth tokens. That past portion is the key.

OAuth tokens are integer entree keys. They tin fto an app enactment connected to your Microsoft relationship without asking for your password each time. They are utile erstwhile the close app uses them. They are unsafe erstwhile a scammer steals them.

Why this scam tin bushed MFA

Most phishing scams effort to bargain your password. Kali365 takes a antithetic route. The onslaught abuses Microsoft's instrumentality codification login process. You whitethorn person seen thing akin erstwhile signing into a streaming app connected a astute TV. A surface shows a abbreviated code. Then you participate that codification connected different instrumentality to o.k. the sign-in.

That process is legitimate. The scam begins erstwhile a transgression starts the sign-in from their ain instrumentality and tricks you into approving it. You whitethorn spot a phishing email that looks similar it came from a trusted unreality work oregon document-sharing tool. The connection includes a codification and tells you to sojourn a existent Microsoft verification page.

That existent Microsoft leafage is what makes this truthful sneaky. The web code tin look right. Your password manager whitethorn not object. The leafage whitethorn consciousness safe. But erstwhile the codification gets entered, you whitethorn unknowingly authorize the attacker's device. From there, the attacker tin seizure entree and refresh tokens. That tin unfastened the doorway to Outlook, Teams and OneDrive without your password oregon different MFA prompt.

QR CODE EMAIL SCAM TARGETS EMPLOYEE REVIEWS

Scammers tin usage a morganatic Microsoft sign-in leafage to marque the phishing effort consciousness overmuch much convincing. (Neil Godwin/Future via Getty Images)

Why this should interest tiny businesses too

A scam similar this tin deed anyone with Microsoft 365 access. Still, tiny businesses should wage adjacent attention. Think astir what sits wrong a emblematic enactment account. Email threads. Invoices. Shared files. Employee chats. Vendor contacts. Customer details. Calendar invites. One compromised relationship tin springiness a transgression a precise believable voice.

A scammer who gets into Outlook tin survey however you write. They tin nonstop messages from your existent account. They tin inquire coworkers to wage fake invoices, stock files oregon reset passwords. That to maine is scary due to the fact that the scam whitethorn not look similar a scam anymore. It whitethorn travel from idiosyncratic you know.

How the onslaught unfolds

The FBI describes the strategy successful a wide sequence. First, the unfortunate gets a phishing email that pretends to travel from a trusted productivity oregon file-sharing service. Next, the email provides a instrumentality codification and tells the unfortunate to participate it connected a morganatic Microsoft verification page.

Then, the unfortunate enters the codification and unknowingly approves the attacker's device. After that, the attacker captures OAuth entree and refresh tokens. Finally, the attacker tin entree Microsoft 365 services specified arsenic Outlook, Teams and OneDrive without needing the victim's password.

Red flags to ticker for

The biggest informing motion is an unexpected petition to participate a Microsoft instrumentality code. Be suspicious if an email tells you to participate a codification for a file, voicemail, invoice oregon shared papers you did not request.

Also, ticker for urgency. Scammers emotion messages that propulsion you to enactment fast. They whitethorn assertion a papers volition expire, a voicemail is waiting, oregon an relationship needs verification.

Another hint is context. If you were not trying to motion successful to a device, bash not participate a instrumentality code. That 1 wont tin halt this scam earlier it starts.

If a Microsoft codification appears successful an unexpected email, substance oregon Teams message, halt and spell straight to your account. (Kurt "CyberGuy" Knutsson)

What Microsoft says astir the Kali365 phishing warning

In effect to CyberGuy, Microsoft said customers should travel the FBI's recommendations arsenic good arsenic Microsoft's published champion practices to support against Kali365 and akin scams.

The institution besides said it works to disrupt cybercriminal ecosystems tied to phishing-as-a-service and relationship takeover activity. Microsoft pointed to caller Digital Crimes Unit actions involving Fake ONNX, RaccoonO365 and Tycoon 2FA arsenic examples of those broader efforts.

How to support your Microsoft 365 relationship from Kali365

A fewer astute habits tin assistance you spot fake device-code requests, trim your vulnerability and travel the FBI’s guidance for limiting this benignant of attack.

1) Never participate a instrumentality codification you did not request

Only participate a Microsoft instrumentality codification erstwhile you personally started the sign-in. If the codification arrives done an email, Teams connection oregon random papers link, stop.

2) Go straight to Microsoft

Do not usage links wrong astonishment messages. Open your browser and spell straight to Microsoft oregon your company's Microsoft 365 portal.

3) Check your relationship activity

Review caller sign-ins, connected devices and progressive sessions. If you spot a location, instrumentality oregon app you bash not recognize, instrumentality enactment close away.

4) Revoke suspicious sessions

If you deliberation you entered a codification by mistake, motion retired of each sessions and revoke suspicious app access. Then alteration your password and interaction your IT team.

5) Keep MFA turned on

Do not crook disconnected multifactor authentication due to the fact that of this scam. MFA inactive blocks galore relationship attacks. This menace shows wherefore you besides request to beryllium cautious with support prompts and instrumentality codes.

6) Use beardown information software

Using beardown antivirus bundle tin assistance observe phishing pages, malicious links and suspicious downloads earlier they origin damage. Get my picks for the champion 2026 antivirus extortion winners for your Windows, Mac, Android & iOS devices astatine Cyberguy.com

7) Use a information removal service

Scammers often physique convincing phishing messages with idiosyncratic details recovered online. A information removal work tin assistance trim the magnitude of your accusation disposable connected people-search sites and information broker databases. Check retired my apical picks for information removal services and get a escaped scan to find retired if your idiosyncratic accusation is already retired connected the web by visiting Cyberguy.com

8) Train your squad connected device-code scams

Employees whitethorn cognize not to benignant passwords into unusual pages. Many person ne'er been warned astir instrumentality codes. Make this circumstantial scam portion of your information training.

9) Restrict instrumentality codification travel if your concern does not request it

The FBI says restricting instrumentality codification travel tin assistance forestall oregon bounds this benignant of attack. IT teams should make a conditional entree argumentation to artifact instrumentality codification travel for each users, with constricted exceptions for required concern processes.

10) Audit instrumentality codification usage first

Before blocking instrumentality codification flow, the FBI recommends auditing existent usage to place morganatic concern needs. That tin assistance forestall disruptions for employees oregon systems that trust connected this sign-in method.

11) Block authentication transportation policies

The FBI besides recommends blocking authentication transportation policies. This tin assistance forestall users from transferring authentication from computers to mobile devices.

12) Protect exigency entree accounts

If your enactment cannot afloat restrict instrumentality codification flow, the FBI recommends excluding exigency entree accounts to forestall lockouts. That measurement should beryllium handled cautiously by your IT oregon information team.

13) Report the attack

If you were targeted oregon compromised, study it to the FBI's Internet Crime Complaint Center astatine IC3.gov. Include phishing emails, email headers, suspicious login times, IP addresses, locations, unauthorized devices and progressive sessions.

What to bash if you person already entered a code

Move quickly.

• Sign retired of Microsoft 365 connected each devices.
• Change your password.
• Check your betterment email and telephone number.
• Review forwarding rules successful Outlook.
• Look for unusual inbox rules that hide, delete oregon redirect emails.
• Then reappraisal OneDrive files, Teams messages and caller relationship activity.
• If this is simply a enactment account, archer your IT squad immediately. Do not hold to spot what happens. Stolen tokens tin springiness attackers continued entree until they are revoked.

Kurt's cardinal takeaways

This is the benignant of scam that tin fool astute radical due to the fact that it uses a existent Microsoft sign-in leafage to propulsion disconnected thing criminal. That is what makes Kali365 truthful dangerous. It tin crook a trusted information measurement into a trap, particularly erstwhile the codification did not travel from a signed-in user. The large takeaway present is to dilatory down earlier entering immoderate Microsoft instrumentality code. If a codification shows up done an unexpected email, substance oregon Teams message, halt and spell straight to the relationship instead. Do not o.k. a sign-in unless it was started connected purpose. A fewer other seconds of caution tin assistance support criminals retired of Outlook, Teams, OneDrive and everything connected to them.

Have you ever received a Microsoft codification oregon login punctual you did not request, and did it look convincing capable to marque you pause? Let america cognize by penning to america astatine Cyberguy.com

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Sign up for my FREE CyberGuy Report

• Get my champion tech tips, urgent information alerts and exclusive deals delivered consecutive to your inbox.
• For simple, real-world ways to spot scams aboriginal and enactment protected, sojourn CyberGuy.com - trusted by millions who ticker CyberGuy connected TV daily.
• Plus, you'll get instant entree to my Ultimate Scam Survival Guide escaped erstwhile you join.

Copyright 2026 CyberGuy.com. All rights reserved.