Today, phishing attacks are among the most frequent and expensive business cybersecurity concerns. When Multi-Factor Authentication (MFA) was thought to be the solution to thwart phishing attacks, criminals were able to find alternate ways of breaching businesses.
Table of Contents:
The FBI is launching an emergency alert on a new, more advanced, Microsoft 365 phishing scam against businesses and individuals. What is most alarming about this attack is that, for the first time, criminals do not need to capture a password to circumvent MFA. This attack uses a Microsoft authentication process and maliciously enables criminals to gain unauthorized and unceasing access to Outlook, Teams, OneDrive, and SharePoint. This alert is important for your business if you operate with Microsoft 365.
What Is the New Microsoft 365 Phishing Scam?
This phishing scam is driven by a tool known as the Kali365 scam—a Phishing-as-a-Service (PhaaS) platform first detected in April 2026 and added to the FBI's publicly posted alerts on May 21, 2026.
The Kali365 scam operates as a subscription service for cybercriminals, available on Telegram. It enables even novice criminals the ability to create targeted and successful phishing campaigns with AI-generated phishing emails, automated phishing campaigns, and dashboards to track phishing victims.
This attack demonstrates a quantum leap in phishing. The Kali365 scam does not create a fraudulent page for victims to enter their authentication credentials. Instead, it uses a legitimate Microsoft authentication process (device code flow). This alone is a first for phishing.
- You never hand over your password.
- Your MFA prompt may appear to complete normally.
- The attacker creates a digital key that enables constant access to the Microsoft 365 environment.
This digital key would continue to grant access even after Microsoft 365 environment members are changed or after employees are removed.
Security researchers have identified multiple Kali365 scam campaigns affecting hundreds of organizations across multiple sectors, including government contractors, healthcare providers, and financial services firms.
How Does the Attack Work?
It is crucial to understand every step of the attack, as that is the best way to identify it before it's too late.
Step 1—The Fraudulent Email
The first and most important step of the Kali365 scam is a phishing email, which is always elaborate. The email is crafted to appear completely genuine. It may look like a message from a co-worker, a Microsoft Teams notification, a request to access SharePoint, or a message about an expiring password.
The email is well-written, professional, and believable. It always includes a verification code with a link, directing you to a Microsoft page with instructions to complete a verification step.
Step 2—The Verification Request
Here's where this attack is uniquely deceptive: the link takes you to a real Microsoft page not a fake one. You're directed to Microsoft's legitimate Device Authorization portal (login.microsoftonline.com).
Because the page is genuine, there are no obvious warning signs. No misspelled URLs, no suspicious-looking forms. Everything looks exactly as it should.
Step 3 – Unauthorized Access
When you enter the code provided in the email, you believe you're completing a routine verification. In reality, you are authorizing the attacker's device to access your account.
Microsoft issues authentication tokens and access keys that are immediately captured by the attacker. From that moment, they can access your Outlook email, Teams conversations, OneDrive files, and more without needing your password and without triggering any further MFA prompts. This access can persist for weeks or longer without detection.
⚠️ Warning Signs to Watch For
Stay alert for these red flags in your inbox:
- An unexpected email asking you to enter a Microsoft verification code, especially if you did not initiate a sign-in or device setup
- A request to approve a login or authorize a device you don't recognize
- Urgent language pressuring you to take immediate action related to files, account access, or document sharing
- Emails mimicking Microsoft services such as Teams, OneDrive, SharePoint, or Outlook even if they look polished and professional
- Any authentication prompt that feels out of place, regardless of whether it links to a legitimate Microsoft page
Golden rule: If you didn't start the login process yourself, do not enter any code period.
What Should You Do If You Receive One?
If you receive a suspicious email:
- Do not enter any verification code from an email unless you personally initiated the sign-in yourself
- Deny any unexpected Microsoft sign-in or device authorization requests immediately
- Do not click any links in emails asking you to verify, approve, or authorize account access
- Forward the email to your IT team or managed service provider and do not interact with it further
- When in doubt, call your IT support team before taking any action; one phone call can prevent a serious breach
If you think you may have already been compromised:
- Contact your IT provider immediately; do not attempt to resolve it yourself
- Account recovery after an OAuth token compromise requires professional intervention
- Report the incident to the FBI's Internet Crime Complaint Center at IC3.gov
How Businesses Can Strengthen Their Microsoft 365 Security
Responding to the Kali365 scam and threats like it should not stop with employee awareness. Below are various methods to reduce exposure on the technical and operational front:
User Awareness Training: The most adequate defense against phishing is an educated employee base. Employees who know the fundamentals of schemes like the Kali365 scam are far less likely to fall victim. Continuous security awareness training keeps the workforce updated on current threats.
Conditional Access Policies: Conditional Access policies can be set by Microsoft 365 administrators to restrict device code authentication for users who do not need this service. This directly eliminates the tactic used by the Kali365 scam.
Advanced Phishing Protection: Modern email security tools can detect and quarantine phishing messages before they reach employee inboxes, even when those messages use AI-generated content and appear highly convincing.
Security Monitoring and Threat Detection: Microsoft Entra ID Protection and Microsoft Defender XDR can surface alerts specific to this type of attack—such as "Suspicious Azure authentication through possible device code phishing"—giving security teams early warning before damage is done.
Regular Cybersecurity Assessments — Periodic reviews of your Microsoft 365 security configuration, user permissions, and authentication policies help identify vulnerabilities before attackers do.
How ComTech Systems Helps Protect Your Business
At ComTech Systems, we exist to protect our clients from developing cyber threats. After the FBI's warning about the Kali365 scam, our team started assessing security controls and observing Microsoft's recommendations so that you don't have to deal with this issue alone.
Here is how we protect our clients from the Microsoft 365 phishing scam and other threats:
- Active threat management : We look for abnormal sign-in attempts, suspicious authentication, and possible threat indicators in your Microsoft 365 environment, often detecting threats before you're even aware of them.
- Strengthening Microsoft 365 security: Our team can examine your configuration, implement Conditional Access, and fill the gaps that the Kali365 scam and similar attacks exploit.
- Security awareness training: We train your team to identify phishing attacks and verification code scams and how to respond appropriately when under pressure.
- Rapid incident response : If you believe your account has been compromised, our Service Desk can quickly contain the situation, remove the threat, and return operations to normal.
- Frequent evaluation of your cyber protection : We are proactive and don't wait for a threat to occur. We routinely assess your security posture to maintain strong, up-to-date protection.
Cybersecurity is not a one-time project; it's an ongoing partnership. And at ComTech Systems, we take that responsibility seriously.
Don’t Wait for a Breach to Take Action
The Microsoft 365 phishing scam — and the Kali365 scam powering it — is sophisticated, convincing, and capable of bypassing the very security layers most organizations rely on. The FBI's warning is clear: this threat is active, it is spreading, and it is targeting organizations of all sizes.
The good news? With the right awareness and the right support, it is entirely preventable.
If you receive a suspicious email, experience an unexpected Microsoft sign-in request, or simply want to review your organization's current security posture — contact the ComTech Systems Service Desk today. Our team is ready to help.
Don't click. Don't enter the code. Call us first.
Frequently Asked Questions
Can MFA fully protect me from the Kali365 scam?
Not on its own. Traditional MFA — including text codes, authenticator app codes, and push notifications — can all be bypassed by the Kali365 scam's device code phishing technique. Stronger protections like phishing-resistant MFA (hardware keys or passkeys) and Conditional Access policies are needed to fully address this threat.
How do I know if my Microsoft 365 account has already been compromised?
Signs include unfamiliar devices appearing in your account's authorized device list, login activity from unusual locations or times, emails being forwarded without your knowledge, or colleagues reporting messages sent from your account that you didn't send. If you suspect a compromise, contact your IT provider immediately.
What is a Microsoft verification code scam?
It's a phishing attack — like the Kali365 scam — in which you're sent a legitimate-looking email containing a device code and a link to a real Microsoft page. Entering the code grants the attacker, not you, ongoing access to your Microsoft 365 account.
What is a Microsoft verification code scam?
It's a phishing attack — like the Kali365 scam — in which you're sent a legitimate-looking email containing a device code and a link to a real Microsoft page. Entering the code grants the attacker, not you, ongoing access to your Microsoft 365 account.
Should I disable MFA because of this?
Absolutely not. MFA still blocks the vast majority of cyberattacks. The answer is to add additional layers of protection, not remove existing ones. Your IT provider can help you configure stronger authentication options.
What should employees do if they accidentally enter a code?
They should immediately report it to their IT team or managed service provider. Do not wait. The sooner your IT team knows, the faster they can revoke the attacker's access and limit the damage.
Sources
FBI Official PSA — IC3.gov: Kali365 Phishing-as-a-Service Kit Hijacks Microsoft 365 Access Tokens
Microsoft Security Blog — Device Code Phishing Guidance
Help Net Security — Microsoft 365 users targeted by new phishing threat that bypasses MFA
Cybersecurity Dive — FBI warns about PhaaS platform used to access Microsoft 365 environments
HotHardware — FBI Issues Urgent Warning For Microsoft 365 Users: Kali365 Phishing Kit Bypasses MFA