FBI Raises Red Alert Over ‘Kali365’ Hack: Cybercriminals Can Now Breach Microsoft 365 Accounts Without Passwords or MFA Codes

The Federal Bureau of Investigation (FBI) has issued an urgent cybersecurity warning over a rapidly emerging hacking platform known as Kali365, a sophisticated phishing service that enables cybercriminals to gain access to Microsoft 365 accounts without stealing passwords or bypassing traditional multi-factor authentication (MFA) protections.

The warning comes amid growing concern among cybersecurity experts, who say the platform represents a dangerous evolution in cybercrime by exploiting Microsoft’s legitimate authentication infrastructure rather than attacking it directly.

According to the FBI, Kali365 operates as a “phishing-as-a-service” platform, allowing even low-skilled cybercriminals to launch highly effective attacks against businesses, government agencies, schools, healthcare providers, and other organizations that rely on Microsoft 365 services.

Unlike conventional phishing schemes that attempt to trick users into revealing passwords, Kali365 abuses Microsoft’s device code authentication process — a legitimate feature commonly used to log in on smart TVs, gaming consoles, and other devices with limited keyboards or input options.

Victims are typically sent convincing emails disguised as notifications from trusted Microsoft services such as SharePoint, OneDrive, Teams, or Outlook. The messages instruct recipients to enter a device verification code on an authentic Microsoft login page.

Because users are interacting with a genuine Microsoft website, many security-conscious individuals fail to recognize the attack.

Once the victim enters the code and completes the MFA verification process, the attacker receives valid OAuth authentication tokens that provide ongoing access to the user’s Microsoft 365 environment. With those tokens, cybercriminals can access emails, files, calendars, cloud storage, and collaboration platforms without needing the victim’s password.

Security experts warn that these access tokens can remain active for extended periods and may continue to function until they are manually revoked by administrators or account owners.

The FBI described Kali365 as a significant threat because it lowers the barriers to entry for cybercriminals by providing ready-made attack tools, automated phishing workflows, AI-generated scam messages, and real-time dashboards that allow attackers to monitor victims as they fall into the trap.

Cybersecurity analysts say the attack is particularly effective because it exploits trust in Microsoft’s own systems. Traditional security products often focus on detecting fake websites, credential theft, or malware, while Kali365 leverages legitimate authentication processes that appear normal to both users and security software.

Matt Burk, Chief Information Security Officer at Bespoke Concierge MD, said the technique was specifically designed to undermine one of the strongest defenses currently used by organizations worldwide.

“Since Microsoft has globally enforced MFA, this method of cyber attack is designed to bypass MFA and the need for a password,” Burk explained.

The platform reportedly surfaced in underground cybercrime communities in May 2026 and has quickly gained popularity on hacker forums and encrypted messaging channels. Security firms monitoring the threat have already observed campaigns targeting hundreds of organizations across North America, Europe, Australia, and other regions.

Industries reportedly affected include healthcare, education, manufacturing, financial services, government institutions, and critical infrastructure operators.

The FBI is now urging organizations to strengthen their security posture by educating employees about device-code phishing scams, monitoring suspicious authentication requests, reviewing OAuth permissions, enforcing stricter session controls, and immediately revoking suspicious access tokens when detected.

Cybersecurity experts warn that the rise of platforms like Kali365 signals a major shift in the threat landscape, where attackers increasingly target identity systems instead of passwords. As businesses continue to migrate critical operations to cloud-based platforms, protecting user identities and authentication processes has become as important as protecting networks themselves.

With Microsoft 365 serving millions of organizations worldwide, authorities caution that the threat posed by Kali365 is likely to grow rapidly unless companies take proactive steps to detect and block these emerging attacks.

Reference: FBI Cybersecurity Advisory; findings from cybersecurity firms monitoring Kali365 phishing campaigns, including reported observations from organizations affected across the United States, Canada, Europe, and Australia.