Anyone using Microsoft 365 for work or personal email should take note: the FBI is warning that a new hacking tool can break into accounts without needing a password.
The FBI alert highlights a phishing platform known as Kali365, which was first detected in April.
It’s being shared via Telegram and is engineered to get around multi-factor authentication (MFA), the added security step many people depend on to protect their inboxes and files.
That means even users who believe they’ve locked things down properly could still be at risk.
Kali365 is especially concerning because it lowers the barrier for attackers. It packages the process into an easy-to-use kit, generates phishing messages using AI, and even lets criminals monitor targets and activity as it happens.
The setup typically begins with a convincing phishing email that appears to come from a trusted service, often something common like a document-sharing platform.
Inside the message, the recipient is given a device code and told to go to an official Microsoft verification page to enter it.
That’s where the trick works: the site you’re directed to is legitimate. But entering the code can silently grant authorization to the attacker instead of securing your own session.
Once the code is submitted, attackers can obtain authorization tokens that effectively unlock access across Microsoft 365, including Outlook, Teams, and OneDrive, without needing your password and without tripping typical two-factor prompts.
In many cases, the intrusion may only be noticed after the account has already been accessed and data has been exposed.
The FBI has shared four specific steps people should follow to reduce the chance of falling victim to a Kali365-style attack.
A Microsoft spokesperson also endorsed the FBI’s advice and, according to Nexstar, suggested additional precautions.
That includes getting better at identifying phishing attempts before clicking anything, avoiding opening attachments from unknown senders (which can install malware), and keeping your operating system and apps updated so the latest security fixes are in place.
The company added it is ‘actively working to disrupt the cybercriminal ecosystems behind phishing-as-a-service and account takeover activity to protect our customers’.
Overall, if you’ve recently received an unexpected message instructing you to enter a code on a Microsoft page, it may be worth reviewing your account activity for anything unusual and going through the FBI’s recommended protections as a precaution.