In a May 21 alert from the FBI’s Internet Crime Complaint Center, the agency warned about Kali365, a new scam that allows cybercriminals to capture Microsoft tokens to bypass multi-factor authentication without stealing a user’s passwords.
By stealing what’s known as OAuth device codes – digital keys that allow an application to access data without you sharing a password- for Microsoft 365 accounts, cyber criminals can gain access to information for a host of malicious activity, Cyberscoop reported, including data theft, fraud, extortion and ransomware attacks.
The attacks are less sophisticated, “providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual entity/tracking dashboards and OAuth token capture capabilities,” the FBI warned.
Here’s how the scam works
An attacker sends a phishing email that’s designed to look like a trusted cloud productivity and document-sharing service. The phishing email contains a device code with instructions to visit a legitimate Microsoft verification page and enter the code.
Once that code is entered, the target has unknowingly given the attacker access to their account.
The attacker captures the OAuth access information, giving them access to the target’s Microsoft 365 account. Once there, they can access Outlook, Teams and OneDrive without needing a password or completing any other multi factor authentication.
How to protect yourself
The scam can be particularly hard to catch but the FBI recommended organizations use Conditional Access policies to help deter the cyber criminals.
In general, you can protect yourself from phishing by:
- Don’t click on anything in an unsolicited email or text message. Look up the company’s phone number on your own (don’t use the one a potential scammer is providing) and call the company to ask if the request is legitimate.
- Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.
- Be careful what you download. Never open an email attachment from someone you don’t know and be wary of email attachments forwarded to you.
- Any phishing emails (email header, body)
- Suspicious logins (time, IP address, location)
- Any unauthorized devices or active sessions added to the account
© 2026 Advance Local Media LLC. Distributed by Tribune Content Agency, LLC.
