FBI Warning: Passwords Useless Now?

Warning symbol over laptop with user. — FBI WARNS ABOUT PASSWORDS?

The newest way crooks are slipping into your Microsoft 365 account does not need your password at all.

Story Snapshot

FBI says a service called Kali365 steals Microsoft 365 access tokens and walks past multi-factor authentication locks as if they are not there.
Attackers trick you into typing a short “device code” on a real Microsoft page, then ride your own login into Outlook, Teams, and OneDrive.
This kit is sold as a monthly subscription, giving low-skill criminals professional-grade tools and dashboards.^[2]
Simple habits and a few smart settings can shut most of this down before it starts.

FBI sounds the alarm on a new kind of break-in

The Federal Bureau of Investigation (FBI) did not issue this warning to scare tech nerds. It went public because a tool called Kali365 flips the normal rules of online safety on their head. For years, the advice was simple: strong password, multi-factor authentication, and you are mostly safe.

Kali365 changes the game by skipping your password and going straight for the keys that say “this person is already logged in.”^[2]

The FBI’s public service announcement describes Kali365 as an “emerging phishing-as-a-service platform” first seen in April 2026. In plain English, it is a cybercrime subscription.

A crook pays a fee and gets ready-made phishing emails, tracking dashboards, and tools that steal Microsoft 365 access tokens at scale.^[2]

That means they can break into accounts used every day at work and at home: Outlook email, Teams chats, OneDrive files, even SharePoint sites tied to those accounts.^[1]

How Kali365 turns a six-digit code into a full account takeover

The attack does not start with some shady hacker terminal. It starts in your inbox. The FBI says victims receive an email that appears to come from a trusted cloud or document service, such as a file-sharing or e-signature notice.

The message includes a short device code and simple instructions: go to a Microsoft verification web page and type this code to view the document or fix an issue.^[2]

FBI issues urgent Kali365 security warning for Teams, Outlook, OneDrive usershttps://t.co/J22HOHtP4C

— The Hill (@thehill) June 15, 2026

The twist is cruel because it feels safe. The page you’re visiting is a Microsoft site, with the correct address and a secure padlock. You are not typing your password on a fake page. You are following directions on a real one.

But that device code is tied to the attacker’s own app in the background. When you type it in, Microsoft thinks you are approving that app to access your account. The crook grabs fresh OAuth tokens and now “is” you online, no stolen password required.^[2]

Why multi-factor authentication alone does not save you here

Most people think, “I have multi-factor turned on, so I am good.” That belief is exactly what attackers are using against you. Multi-factor authentication, or MFA, protects the moment you log in with a password.

Kali365 makes you complete that login yourself on a real Microsoft page. You may even pass a normal MFA challenge. The criminal just listens for the token that comes out the other side and stores it for later.^[1]

🚨 FBI WARNS MICROSOFT USERS ABOUT NEW KALI365 PHISHING SCAM.

The FBI is alerting Microsoft 365 users about a fast‑growing phishing‑as‑a‑service scam called Kali365. The tool helps attackers steal OAuth tokens and slip past multi‑factor authentication. It uses AI‑generated lures… pic.twitter.com/67AwdkqBdi

— The Content Factory (@tcf_updates) June 16, 2026

Once they have a valid access token and a refresh token, they can come back again and again until the token expires or you revoke it.^[2] During that time, they can read Outlook messages, watch Teams conversations, and pull files from OneDrive and SharePoint as if they sit at your desk.^[1]

From there, attackers can reset other accounts, trick co-workers or family with fake emails, or quietly hunt for banking and tax data. That is where real-world fraud and extortion begin.

Why this should bother normal people, not just IT staff

Kali365 is not a one-off hacker stunt. It is built as a business. The FBI and private researchers describe a full ecosystem with built-in phishing templates, artificial-intelligence-written messages, victim-tracking panels, and payment systems for criminals.

Less-skilled attackers no longer need to code or understand Microsoft’s sign-in system. They just rent a kit and click through a menu. That “lowered barrier to entry” is what turns one clever trick into a widespread crime wave.

From this view, this is what happens when bad actors weaponize complex tech while normal users and small businesses are left with vague advice.

Big platforms centralize email, chat, and documents into a single identity system, and then criminals aim all their efforts at that single point of failure.

That makes personal responsibility and local safeguards more important, not less, because the fallout from one compromise can ripple through a whole community.

The one habit that stops most Kali365 attacks cold

The good news is that you do not need a computer science degree to cut this risk. The FBI’s own advice boils down to one simple rule: never enter a device code on a Microsoft verification page unless you started that process yourself, on your own device.

If an email gives you a code and tells you where to enter it, treat it like a stranger asking for your house alarm PIN.

On top of that, check your Microsoft 365 sign-in history and active sessions from time to time and sign out devices you do not recognize. Report weird emails in Outlook using the built-in “Report phishing” option, and tell your company’s IT support if anything seems off.

For businesses, security teams should consider disabling Microsoft’s device code flow when not needed and adding conditional access rules to allow access only from trusted devices and locations to sensitive accounts.^[1]