FBI Warning: New Kali365 Microsoft Scam Bypasses Extra Security

If you use Microsoft 365 for your job, your small business, or just to manage your personal life, you need to know about a scary new warning from the FBI.

For years, we’ve all been told that setting up multi-factor authentication, that extra step where a code gets texted to your phone or pops up in an app, is the ultimate way to lock down our online accounts.

Well, a sophisticated new scam platform called Kali365 just flipped the script. The FBI says it is letting hackers completely skip right past those security codes without ever needing to know your password.

How They Trick You (and Why It Works)

Older email scams used to be easy to spot. They were usually filled with typos, weird grammar, or links to sketchy-looking websites. This new one is incredibly sneaky because it uses a real, official Microsoft webpage to trap you.

Here is exactly how it plays out:

An Innocent Email: You get an email that looks totally normal. It might say a coworker shared a document with you on OneDrive, or that you need to quickly verify your account. The email includes a short "device code."

The Real Microsoft Page: The email tells you to go to Microsoft’s actual, official login page to enter the code. Because the website address is legitimate, your guard instantly goes down.

Unknowingly Letting Them In: The second you type that short code into the real Microsoft page, you aren’t logging yourself in. You are actually approving the hacker's computer to log into your account from somewhere else.

By convincing you to enter that code, the hackers steal a "digital key" that keeps them logged in forever. They never see your password, and because you already approved the link, your phone never buzzes with an MFA warning.

Why This is Gaining Ground So Fast

The FBI notes that Kali365 launched recently and is being sold like a subscription software service on Telegram.

Essentially, any amateur criminal with a few bucks can rent this ready-made toolkit. They get AI-generated emails that look flawless, automated setups, and a clean dashboard to track everyone they trick. It makes high-level cybercrime as easy as using a regular smartphone app.

Once a hacker uses this method to get inside your account, they can quietly snoop through everything you have saved online:

Your Outlook emails (looking for bank info, tax documents, or invoices)
Your Teams conversations with coworkers
Your OneDrive and SharePoint files containing private photos, business contracts, or personal data

Because the hackers use a digital login key rather than your actual password, simply changing your password might not kick them out. Their active session stays open until it is manually revoked.

How to Protect Yourself and Your Family

Protecting yourself doesn't require an IT degree; it just takes a quick pause.

If you ever receive an unexpected email out of the blue asking you to put a short code into a Microsoft page, stop right there. Unless you are actively trying to connect a brand-new smart TV or a new office computer to your account at that exact moment, close the email.

Get our free mobile app

If you run a local business or manage an organization's computers, you can ask your tech team to turn off "device code flow" in your Microsoft settings so employees can't accidentally fall for this trick.

If you think you’ve already been targeted or clicked one of these links, log out of all active sessions across your accounts immediately and report the incident online to the FBI’s Internet Crime Complaint Center at IC3.gov. A few seconds of caution is all it takes to keep your digital life locked down.