The FBI has issued a warning regarding new hacking tools that allow cybercriminals to take over Microsoft 365 accounts—like Outlook, Teams, and OneDrive—while completely bypassing multi-factor authentication.
Last week, the Bureau released a public service announcement about a phishing toolkit dubbed Kali365. This tool has been used to steal Microsoft 365 access tokens and infiltrate accounts without needing to capture passwords.
Authorities emphasize that Kali365 simplifies sophisticated phishing operations, making them accessible to less experienced hackers who might not have had previous technical knowledge.
According to the FBI, “Kali365 lowers the barrier to entry,” giving these attackers tools such as AI-generated phishing templates, automated campaign setups, and real-time dashboards for tracking targets.
This scheme exploits Microsoft’s common OAuth 2.0 device code authentication system, which is often used for logging into devices like smart TVs and streaming services.
Instead of pilfering passwords directly, hackers manipulate victims into entering a code on the legitimate Microsoft login page, inadvertently authenticating the hackers’ device.
The FBI stated, “Device code flow is a legitimate authentication method that is actively exploited by cybercriminals to bypass multi-factor authentication.” By deceiving users into inputting this code, attackers can gain lasting access to accounts without ever needing the original credentials.
Victims typically receive phishing emails that mimic Microsoft services including SharePoint and OneDrive, prompting them to visit a genuine login page for a temporary verification code.
After the victim completes this, Microsoft provides a valid OAuth access token and refresh token directly to the hacker.
This gives these cybercriminals the capability to access Outlook inboxes, Teams accounts, and cloud-stored files—again, without the need for the victim’s password.
The FBI underscores that attackers could maintain ongoing access to these accounts until the tokens are manually revoked.
Matt Burk, chief information security officer at Bespoke Concierge MD, noted that Microsoft’s broad adoption of multi-factor authentication has compelled cybercriminals to adapt their tactics, making their attacks even more effective.
When asked about the most vulnerable individuals or industries, Burk warned that nearly anyone using Microsoft 365 is at risk. “I really hate to generalize, but it affects everyone from small businesses to large corporations,” he remarked.
Burk suggested that organizations implement third-party security information and event management (SIEM) systems that can flag unusual authentication activity linked to token theft.
“These tools help us identify access like the Kali365 exploit and can automatically sever connections with proper security protocols,” he added.
Experts stress that everyday users should heed this warning, as the threat targets commonly used cloud computing platforms.
Cybersecurity researchers believe that the rise of Kali365 signifies a significant advancement in the underground phishing-as-a-service market, where sophisticated hacking tools are sold to less skilled criminals via subscription services on platforms like Telegram and dark web forums.
First identified last month, Kali365 has rapidly gained traction among cybercriminal organizations.
This platform facilitates phishing campaigns and includes a dashboard for attackers to track their victims in real time.
Federal authorities indicated that this operation is part of a larger effort targeting Microsoft 365 environments globally.
One notorious group, known as Scattered Spider or Octo Tempest, is recognized for its aggressive social engineering tactics and SIM swapping attacks aimed at major corporations.
Another group, Storm-2949, focuses on compromising IT administrators and senior executives by exploiting Microsoft’s password reset systems and cloud authentication mechanisms.
The Post has contacted Microsoft for further comment.
