Google’s Insights on AI-Driven Phishing Scams

Google’s General Counsel, Halimah Delaine Prado, has highlighted the alarming increase in phishing scams powered by artificial intelligence, particularly those originating from certain companies in China. These criminals are adeptly using AI to craft convincingly fake websites that mimic well-known brands, such as T-Mobile. This has resulted in significant financial losses for many Americans, amounting to millions. Prado discusses Google’s ongoing efforts to combat these sophisticated threats.

Emergence of Kali365 Phishing Platform

The FBI has issued a warning about a new phishing-as-a-service platform called Kali365, which targets Microsoft 365 accounts, including Outlook, Teams, and OneDrive. This is concerning because it exploits vulnerabilities in our usual security measures.

What’s particularly unsettling is the method of attack. Kali365 can bypass traditional security systems without needing passwords. Even if you have multi-factor authentication set up, a simple mistake in authorizing a device with the wrong code can compromise your account.

The Mechanics of the Scam

Kali365 works by allowing criminals to sign up and utilize standard tools to target Microsoft 365 accounts. This platform, first identified in April 2026, spreads its influence primarily via Telegram. Attackers can craft AI-generated phishing messages, use automated templates, and manipulate OAuth tokens. The latter is crucial since OAuth tokens are digital keys that keep apps linked to your account without entering your password repeatedly. While convenient, if these tokens fall into the wrong hands, it poses a major risk.

Why It Circumvents MFA

Unlike typical phishing attempts that focus on stealing passwords, Kali365 cleverly takes advantage of Microsoft’s device code login method. You might recall seeing this when logging into an app on your smart TV. It involves displaying a shortcode that you enter on another device to confirm your sign-in.

The process appears legitimate. However, the trap is set when a scammer initiates a sign-in from their device and tricks you into authorizing it. Phishing emails may look like they’re from trusted sources, containing a code that guides you to the real Microsoft verification page, which feels secure. But entering that code could unwittingly authenticate the attacker’s device, giving them access to your Outlook, Teams, or OneDrive without needing your password.

Implications for Small Businesses

This type of scam doesn’t discriminate; it can affect anyone using Microsoft 365, but small businesses should be especially vigilant. Consider what’s stored in a typical work account: emails, invoices, shared files, chats, vendor contacts, and customer data. Just one compromised account can lend credibility to a criminal, potentially allowing them to impersonate real employees.

Having access to Outlook means scammers can observe your communication style and send messages to colleagues, requesting fake payments or accessing sensitive information. That’s alarming, as the scam might not even be recognized as such if it comes from someone familiar.

Steps to Take if You’re Targeted

The FBI outlines a sequence of events for this scam. First, victims receive a phishing email that mimics a trusted service. Next, they’re instructed to enter a device code into a legitimate Microsoft verification page, which ultimately leads them to authorize the attacker’s device.

If you notice unexpected requests for your device code, beware. Scrutinize emails asking you to enter codes for files or documents you didn’t request. Pay attention to messages that create a sense of urgency, like warnings about expiring documents or account verification needs.

Microsoft’s Recommendations

In light of this situation, Microsoft suggests customers adhere to FBI guidelines and take preventive measures against scams like Kali365. The company is also striving to counteract the cybercrime landscape, citing ongoing efforts to dismantle phishing and account takeover services.

Actions to Protect Your Account

To safeguard your Microsoft 365 account from attacks like Kali365, consider these strategies:

1. Never enter unsolicited device codes.
2. Go directly to Microsoft for sign-ins instead of clicking links in unrecognized emails.
3. Regularly check your account activity for any unfamiliar sign-ins or devices.
4. Cancel any suspicious sessions and change your password if you think you’ve made a misstep.
5. Keep multi-factor authentication active.
6. Employ robust security software to detect phishing attempts.
7. Utilize data deletion services to reduce personal information available online.
8. Train employees about device code scams in security sessions.
9. Restrict device code practices if your business doesn’t need them.
10. Conduct audits to understand legitimate usage before imposing restrictions.
11. Consider blocking authentication transfer policies to minimize risks.
12. Safeguard your emergency access accounts specifically.
13. Report any incidents to the FBI’s Internet Crime Complaint Center.

If You’ve Already Entered a Code

It’s critical to act swiftly:

• Log out of Microsoft 365 on all devices.
• Change your password immediately.
• Verify your recovery email and phone number.
• Inspect email inbox rules for any suspicious activity.
• Check your OneDrive and Teams for unusual activity.
• Inform your IT team if this is a work account to ensure prompt action.

Final Thoughts

This scam is particularly deceptive because it leverages genuine Microsoft sign-in pages. It highlights that even established security protocols can fall victim to clever tricks. Before entering any Microsoft device code, take a moment to pause and verify. If something feels off, don’t take the risk; go directly to your account instead. A little caution can go a long way in keeping your data safe.

Have you encountered a Microsoft code request that seemed suspicious? Reach out and share your experiences.