The FBI has put out a warning about “Kali365,” a phishing‑as‑a‑service (PhaaS) platform that helps even low‑skilled attackers hijack Microsoft 365 accounts by stealing access tokens instead of passwords.
Although early reporting focuses on attacks against organizations, the underlying technique works just as easily against individual Microsoft 365 users who are tricked into entering a short code on a real Microsoft website. In other words, this is not just a business or IT department problem. It could affect anyone with an Outlook, OneDrive, or Microsoft 365 subscription.
What to Look For
The biggest warning sign is an unexpected request to enter a Microsoft device code. Be suspicious if an email tells you to enter a code for a file, voicemail, invoice or shared document you did not request.
Also, watch for urgency. Scammers love messages that push you to act fast. They may claim a document will expire, a voicemail is waiting, or an account needs verification.
Another clue is context. If you were not trying to sign in to a device, do not enter a device code. That one habit can stop this scam before it starts.
What You Should Do
- Never enter a code at a Microsoft login page just because an email or message tells you to. You should only do this when you initiated the sign‑in yourself on your own device.
- Slow down and read the prompts. Rushing through login approvals without reading them carefully can be costly.
- Be suspicious of unexpected document shares, Teams invites, or login requests, even if they use legitimate Microsoft pages.
- Review which devices are logged in under your account at https://account.microsoft.com/devices/. If you see unfamiliar devices or sign‑ins, remove them, change your Microsoft account password, and review your security settings.
