FBI Sounds Alarm on Kali365: AI-Powered Phishing Attack Targets Microsoft 365 Users

The FBI Microsoft 365 phishing attack warning has put millions of users on high alert. On May 21, the Federal Bureau of Investigation released an urgent public service announcement about a fast-spreading cyber threat that can quietly hijack Microsoft accounts — even those protected by multi-factor authentication. The new attack, known as Kali365, is being described as one of the most dangerous phishing campaigns to emerge this year, largely because it uses artificial intelligence to make its scams look frighteningly convincing.

If you rely on Microsoft 365 for work, school, or personal use, this is something you need to understand right now.

What Is the Kali365 Phishing Attack?

Kali365 is a phishing-as-a-service (PhaaS) platform that was first detected last month. Unlike traditional phishing schemes that depend on the attacker’s individual skill, Kali365 is a ready-made toolkit that anyone with bad intentions can rent or buy. According to the FBI, this service hands cybercriminals everything they need to launch sophisticated attacks against Microsoft 365 users without needing deep technical knowledge.

The most alarming aspect? Kali365 doesn’t need to steal your password to break into your account. Instead, it tricks the Microsoft authentication system itself into handing over access tokens, allowing attackers to slip past multi-factor authentication (MFA) entirely.

How the Attack Works

The FBI explains that this new threat takes advantage of Microsoft’s own legitimate authentication infrastructure. That means victims often don’t realize anything is wrong because they’re interacting with what appears to be a real Microsoft verification page.

Here’s a simplified breakdown of how the scam typically unfolds:

• A victim receives an email pretending to be from a trusted cloud productivity or document-sharing service.
• The email contains a device code along with instructions to visit a legitimate Microsoft verification page.
• The user enters the code, believing they’re verifying their identity for a normal sign-in process.
• Behind the scenes, the attacker captures the OAuth token generated by Microsoft, giving them direct access to the victim’s account.

Because the entire process plays out on real Microsoft pages, even cautious users can be fooled. There’s no fake login screen, no suspicious URL, and no obvious red flag in the moment.

Why Kali365 Is So Dangerous

What separates Kali365 from older phishing campaigns is its use of artificial intelligence and automation. The platform doesn’t just send out generic spam — it actively tailors attacks to specific targets in real time.

According to the FBI, Kali365 offers cybercriminals a complete toolkit that includes:

• AI-generated phishing emails that mimic the writing style of real companies and contacts
• Pre-built campaign templates that automate the entire attack
• Real-time dashboards that track individual victims and organizations
• OAuth token capture tools that bypass multi-factor authentication

In short, Kali365 transforms phishing from a craft into an assembly line. Even attackers with minimal technical expertise can now run highly polished campaigns capable of fooling sophisticated users.

Distributed Through Telegram

Like many modern cybercrime services, Kali365 is being sold and distributed through Telegram, the messaging platform that has become a favorite hub for hackers. The FBI noted that this distribution model dramatically lowers the barrier of entry, allowing the threat to spread quickly across the global cybercrime community.

Once a buyer obtains the kit, they can launch phishing campaigns against Microsoft 365 accounts almost immediately. The result is a surge in attacks that are not only more frequent but also more difficult to detect.

Why Multi-Factor Authentication Isn’t Enough

For years, security professionals have urged users to enable multi-factor authentication as a safeguard against account takeovers. While MFA still helps in many situations, the Kali365 campaign shows that it isn’t bulletproof.

By stealing OAuth tokens instead of passwords, attackers effectively sidestep the MFA prompt altogether. Once they have the token, the system treats them as a verified user — no additional code, fingerprint, or approval needed.

This shift has serious implications. It means relying on MFA alone is no longer enough to keep your Microsoft 365 account safe.

How to Protect Yourself

Although the threat is sophisticated, there are practical steps every user can take to reduce the risk:

• Be skeptical of unexpected emails asking you to enter device codes, even if they appear to come from Microsoft or trusted services.
• Never enter a verification code unless you personally initiated the sign-in request.
• Double-check the sender’s email address and look for subtle inconsistencies.
• Use conditional access policies if you’re an administrator, restricting logins to known devices or networks.
• Enable phishing-resistant authentication methods, such as hardware security keys or passkeys.
• Educate teams and family members about device-code phishing, which many people still don’t recognize.

Organizations should also monitor for unusual OAuth token activity and review which third-party apps have access to their Microsoft 365 environments.

The Bigger Picture

The rise of Kali365 highlights a worrying trend in cybercrime: the increasing use of AI to scale and refine attacks. As phishing-as-a-service platforms grow more powerful, even small-time scammers can launch campaigns that once required nation-state-level resources.

The FBI’s warning is a reminder that staying safe online today requires more than strong passwords and MFA. It demands awareness, skepticism, and a willingness to question even the most legitimate-looking requests. As attackers evolve, so must the everyday user.

Microsoft 365 remains a critical platform for millions of people worldwide, and threats like Kali365 prove that protecting your account is no longer optional — it’s essential.