Microsoft Outlook and Teams users are being warned about a dangerous new phishing attack that is targeting Microsoft 365 accounts. The FBI recently issued a public warning about a phishing platform called Kali365, which allows cybercriminals to access accounts without directly stealing passwords.
The attack has raised serious concerns because it can bypass multi-factor authentication, a security feature many users depend on to keep their accounts safe.
What Is the New Microsoft Phishing Threat?
The phishing platform, known as Kali365, was first discovered earlier this year. According to cybersecurity experts, the tool is mainly being shared through Telegram and is designed to trick users into giving hackers access to their Microsoft accounts.
The scam usually starts with a fake email that appears to come from a trusted service. It may look like a document-sharing request or an account verification message.
Inside the email, users are given a device code and instructions to visit a real Microsoft verification page. Since the website itself is legitimate, many people do not realize anything is wrong.
Once the code is entered, hackers receive access to the user’s Microsoft 365 account, including Outlook emails, Teams chats, and OneDrive files.
How the Kali365 Attack Works
The attack method is simple but highly effective. Here is a quick breakdown:
| Step | What Happens |
|---|---|
| Fake Email Sent | User receives a phishing email pretending to be trusted |
| Verification Code Shared | Email asks user to enter a device code |
| User Visits Microsoft Site | Victim enters the code on the official Microsoft page |
| Hacker Gains Access | Attackers capture account authorization tokens |
| Account Data Exposed | Outlook, Teams, and OneDrive become accessible |
This approach is different from traditional phishing scams because attackers do not need the user’s password.
Why This Threat Is More Dangerous
One reason this phishing threat is worrying experts is because it uses real Microsoft services during the attack process. This makes it harder for users to spot suspicious activity.
The FBI also warned that Kali365 allows even low-skilled cybercriminals to launch advanced attacks. Reports suggest the platform uses AI-generated phishing messages to make scams look more convincing.
As more companies rely on Microsoft 365 tools for communication and file storage, the risks connected to these attacks continue to grow.
How Microsoft Users Can Stay Safe
Cybersecurity experts recommend taking several steps to reduce the chances of becoming a victim.
Important Safety Tips
- Never enter verification codes unless you requested them yourself
- Avoid opening links from unknown or unexpected emails
- Double-check email senders before clicking attachments
- Keep your apps and operating system updated
- Review account permissions regularly
- Use advanced account security settings where available
Businesses should also consider limiting device code authentication to trusted users only.
Final Thoughts
The latest phishing warning shows how cyber threats are becoming more advanced in 2026. Attackers are no longer relying only on stolen passwords. Instead, they are finding ways to trick users into giving account access willingly.
Microsoft Outlook and Teams users should remain alert and learn how modern phishing scams work. A few careful steps can help protect important personal and business information from cybercriminals.
Readers interested in cybersecurity can also explore topics like AI-powered phishing scams, Microsoft 365 security tips, and online privacy protection to stay updated on digital safety trends.
