A fresh online fraud is focusing on Microsoft 365, one of the most widely utilized work tools, as reported by areportfrom the United States Federal Bureau of Investigation.
Microsoft 365, which is utilized by numerous individuals for both personal home office purposes and, in many instances, as a necessary system for communication and efficiency during work, features well-known programs such as Microsoft Word, Outlook, OneDrive, and others.
In reality, Microsoft 365 supports work and email forhundreds of millionsmillions of people and businesses around the globe, including over a million companies in the U.S. by itself. As per the FBI alert dated May 21, cybercriminals are exploiting the widespread use of MS 365, having recently deployed a phishing attack platform called "Kali365" to illegally access MS 365 accounts.
Begin your day with more knowledge. Receive all the essential news in your inbox every morning.
Here's what you need to be aware of regarding who is being targeted, the appearance of the scams, and additional information.
FBI warns about a scam involving Outlook OneDrive
An FBI notice, released on May 21, 2026, cautioned about a fraudulent scheme where con artists follow these procedures:
- LureA malicious actor sends a phishing email that mimics well-known cloud-based productivity and document-sharing platforms. The email includes a device code along with directions to access a genuine Microsoft verification page and input the code.
- Authorization: The affected individuals or entities go to the genuine Microsoft website and enter the device code, without realizing that this action grants the attacker's device access to their account.
- Token theft: The attacker obtains OAuth access and refresh tokens, providing them with entry to the Microsoft 365 accounts of the targeted individuals or entities.
- PersistenceAn attacker can now gain access to Microsoft 365 services like Outlook, Teams, and OneDrive without requiring a password or going through any extra multi-factor authentication steps.
To safeguard yourself, the FBI recommends the following steps:
- Limiting the device's code flow to restrict or stop device authentication codes can aid in preventing or reducing this type of attack.
- Implement a conditional access policy that prohibits the device code flow for all users, with specific exceptions for essential business operations.
- Review current device code flow implementation to determine valid dependencies prior to establishing a conditional access policy.
- Prevent users from moving authentication credentials from computers to mobile devices by blocking transfer policies.
- If you are unable to fully limit the use of device code flow, remove emergency access accounts to avoid being locked out.
What is Kali365?
Kali365 is the newly emerging Phishing-as-a-Service or "PhaaS" platform highlighted in an FBI alert. According to FBI reports, Kali365 was first identified in April 2026 and has mainly been spread via the secure messaging app Telegram. It enables fraudsters to acquire Microsoft 365 access tokens and circumvent multi-factor authentication systems without needing to steal the user's login details.
Subscribers to the Kali365 platform can enable cyber threat actors to defraud individuals by stealing "OAuth" tokens and accessing their Microsoft 365 systems. The FBI states that Kali365 "reduces the difficulty" for scammers, offering "less-skilled attackers" with AI-created phishing tactics, automated campaign models, and additional tools.
Who is being targeted by Kali365?
According to CyberScoop, the Kali365 phishing kit can be utilized against any Microsoft 365 user, regardless of whether you are accessing it through a personal account or at work. So far,security researchersI have mostly observed attackers targeting organizations, but the same method is equally effective against home users who are deceived by a convincing email.
What to do if you fall victim to the Kali365 scam
If you believe you have fallen victim to the Kali365 phishing attack, there's no need to erase your entire computer, but you should act quickly to protect your account, the FBI cautioned in its warning.
Update your Microsoft 365 password from a verified device and log out of all current sessions through your account settings to prevent unauthorized access. Next, check for issues: examine recent login activities for unusual locations or times, delete any unknown devices or sessions, and in Outlook, remove any inbox rules that you are not familiar with.
You should also ensure that multi-factor authentication is enabled, and if you're at work, inform your workplace IT department or the company's security team if this is a work-related account.
If you accessed attachments or executed a file from a phishing email, you should perform a complete antivirus scan and then report the incident — including the phishing email and any unusual logins or devices — to the Internet Crime Complaint Center. Monitor your other accounts if you used the same password.
Furthermore, the FBI asks that anyone impacted by the Kali365 Phishing kit submit a report to the IC3 atic3.gov, including any available details such as copies of phishing emails, suspicious logins, including the time, IP address, and location, as well as any unauthorized devices or active sessions that were added to the compromised account.
Damon C. Williams, of the USA TODAY NETWORK, assisted in preparing this report.
Iris Seaton works as a popular news correspondent for the Asheville Citizen Times, which is affiliated with the USA TODAY Network. You can contact her via iseaton@citizentimes.com.
This piece first was published in the Asheville Citizen Times:FBI issues alert about a phishing scam aimed at Outlook, OneDrive, and Teams users
No comments:
Post a Comment