Key Takeaways
- Phishing emails are impersonating document-sharing platforms to steal users’ Microsoft 365 accounts.
- You can avoid the scam by not entering your OAuth device code in response to an email.
- The scam is powered by Kali365, a new “scamming-as-a-service” software tool that costs scammers $250 a month.
The FBI has issued an urgent warning about a fast-acting phishing scam operated by the hacking platform Kali365.
The scam targets Microsoft 365 users — anyone using Teams, Outlook, or OneDrive could be in danger.
The goal of the phishing scam is to trick potential victims into handing over their OAuth device codes, which the hackers can then use to bypass multifactor authentication and access Microsoft accounts. To stay safe, you’ll have to keep your OAuth tokens to yourself.
What Does the Scam Look Like?
If you’re targeted by Kali365, you’ll receive a phishing email that appears to be from an authentic document-sharing platform. It will have a device code and instructions on how to verify yourself.
The FBI’s warning, available online here, walks viewers through the four steps of the scam:
This just in! View
the top business tech deals for 2026 👨💻
- Lure: An email “impersonating trusted cloud productivity and document-sharing services,” containing a code, which asks users to go to “a legitimate Microsoft verification page and enter the code.”
- Authorization: Entering this device code will actually give the scammer’s device access to the victim’s account.
- Token Theft: The scammer then “captures OAuth access and refresh tokens, granting them access to the targeted individuals/entities’ Microsoft 365 account.”
- Persistence: Armed with this access, the scammer can now gain access to even more Microsoft 365 services, like Outlook, Teams, and OneDrive, without needing to get any additional passwords or information.
What’s Kali365?
The threat doesn’t come from any single, unified hacking group. Instead, these phishing attempts might come from any scammer who own the Kali365 platform, a subscription-based service aimed at helping scammers become more effective.
News of this “scamming-as-a-service” software tool first emerged to the general public in April 2026, but has been circulating through closed groups on Telegram for a lot longer. According to a Bitdefender report, it costs about “$250 per month or $2,000 a year.”
How Can You Stay Safe?
The biggest thing you can do to avoid this particular scam is stay vigilant against any phishing emails. However, that’s easier said than done.
The FBI’s warning comes with a few technical tips for staying safe.
You can try to “create a conditional access policy to block device code flow for all users,” and you can figure out how to block authentication transfer policies, so that any users with unauthorized access can’t transfer their authentication between computers and mobile devices.
Finally, if you’ve already been hit, you can report the incident and help experts work to stop the evolving threat: Go file an online complaint with the Internet Crime Complaint Center (IC3) here if you’ve been impacted by the Kali365 phishing kit.
