FBI Warns Microsoft Users About New Passwordless Scam Targeting Outlook, Teams, and OneDrive

Posted on by Dave

The Federal Bureau of Investigation (FBI) has issued a serious warning to millions of Microsoft users about an emerging cyber threat known as Kali365, a sophisticated phishing scam capable of stealing access to Microsoft accounts without ever requiring a password.

The scam specifically targets users of Microsoft 365 services, including:

  • Microsoft Outlook
  • Microsoft Teams
  • Microsoft OneDrive
  • Microsoft Office 365 accounts

Security experts say this new attack is especially dangerous because it can bypass traditional security measures, including multi-factor authentication (MFA), which many users consider their strongest defense against hackers.

What Is the Kali365 Scam?

Kali365 is a Phishing-as-a-Service (PhaaS) platform that appeared in early 2026. It is reportedly being distributed through underground cybercrime channels and allows even low-skilled hackers to launch sophisticated phishing campaigns.

Unlike traditional phishing attacks that try to steal usernames and passwords, Kali365 uses a technique that abuses Microsoft’s legitimate OAuth device code authentication system.

This means attackers can gain access to your account without ever knowing your password.

How the Scam Works

The attack typically follows these steps:

Step 1: Fake Login Request

Victims receive:

  • Emails
  • Microsoft Teams messages
  • Text messages
  • Fake support requests

These messages often appear to come from:

  • Co-workers
  • IT departments
  • Microsoft support
  • Trusted organizations

Step 2: Device Code Prompt

The victim is instructed to enter a verification code into a legitimate Microsoft login page.

Because the page is actually owned by Microsoft, users often believe the request is safe.

Step 3: Attackers Gain Access

Once the code is entered, hackers receive authentication tokens that grant access to the victim’s account.

The stolen tokens can provide access to:

  • Emails
  • Cloud storage
  • Documents
  • Company communications
  • Sensitive personal information

Why This Scam Is So Dangerous

The FBI says the attack is particularly concerning because it:

  • Doesn’t require your password
  • Can bypass MFA protections
  • Uses legitimate Microsoft infrastructure
  • Is difficult to detect
  • Allows persistent access to accounts

Cybercriminals can remain inside an account for extended periods, stealing information and potentially launching additional attacks against organizations and contacts.

Who Is at Risk?

Anyone using Microsoft services could become a target, including:

  • Business professionals
  • Remote workers
  • Students
  • Government employees
  • Personal Microsoft account users

Organizations that rely heavily on Microsoft 365 are especially vulnerable because compromised accounts can expose sensitive business data.

Warning Signs of the Scam

Be cautious if you receive:

Unexpected Authentication Requests

Never approve a login request you didn’t initiate.

Urgent Messages

Scammers often create a sense of urgency, claiming immediate action is required.

Requests to Enter Device Codes

If someone asks you to enter a Microsoft verification code, verify the request independently.

Strange Emails or Teams Messages

Be suspicious of unusual messages, even if they appear to come from colleagues.

How to Protect Yourself

1. Never Enter Device Codes You Didn’t Request

This is the FBI’s top recommendation.

If you didn’t initiate the login, do not enter any verification codes.

2. Review Account Activity Regularly

Check:

  • Login history
  • Connected devices
  • Recent sign-ins

Remove anything unfamiliar immediately.

3. Enable Security Alerts

Microsoft allows users to receive notifications when:

  • New devices sign in
  • Passwords change
  • Security settings are modified

4. Use Strong Authentication Methods

Consider using:

  • Microsoft Authenticator
  • Passkeys
  • Hardware security keys

5. Train Employees and Family Members

Cybersecurity awareness remains one of the best defenses against phishing attacks.

What to Do If You Fall Victim

If you believe you entered a device code or approved an unauthorized login:

  1. Change your password immediately.
  2. Sign out of all active sessions.
  3. Revoke suspicious app permissions.
  4. Enable additional security features.
  5. Contact your organization’s IT department.
  6. Report the incident to the FBI’s Internet Crime Complaint Center (IC3).

The sooner you act, the better your chances of preventing further damage.

The Bigger Picture

Cybercriminals are continuously evolving their tactics, and the Kali365 scam shows that even advanced security measures like multi-factor authentication can be exploited through social engineering.

The FBI warns that phishing attacks are becoming increasingly sophisticated and often use legitimate platforms to trick victims into granting access voluntarily.

As passwordless technologies become more common, users must remain vigilant and understand that even secure authentication systems can be manipulated if scammers convince users to participate.

Final Thoughts

The FBI’s latest warning serves as an important reminder that cybersecurity is about more than passwords. Attackers are now finding ways to exploit trust and human behavior rather than simply stealing credentials.

If you use Microsoft Outlook, Teams, OneDrive, or Microsoft 365, take this warning seriously. Always verify unexpected login requests, avoid entering device codes you didn’t initiate, and monitor your account activity regularly.

A few extra seconds of caution could prevent a major security breach.

Print Friendly, PDF & Email

Discover more from DavidKeys.com

Subscribe to get the latest posts sent to your email.