Millions of Microsoft users have been urged to remain vigilant after US federal investigators warned about a sophisticated cyberattack campaign known as 'Kali365', which allegedly allows hackers to bypass traditional Microsoft security protections and infiltrate accounts linked to Outlook, Teams, OneDrive, and other Microsoft 365 services.

The warning, highlighted in recentFBI and cybersecurity reports, centres on attackers exploiting legitimate Microsoft authentication systems rather than breaking through them directly.

Security experts say the tactic makes the operation particularly dangerous because malicious login attempts can appear legitimate to both users and automated detection systems.

According to cybersecurity researchers, 'Kali365' refers to a phishing and credential theft technique that abuses Microsoft 365's authentication infrastructure to steal login tokens and gain persistent access to user accounts.

Unlike traditional phishing attacks that rely solely on fake login pages, the attackers allegedly route victims through legitimate Microsoft authentication flows, allowing them to capture valid session credentials after users successfully log in.

Researchers say this can allow hackers to bypass certain forms of multi-factor authentication (MFA), which many users wrongly assume guarantees full protection.

Cybersecurity firm Proofpoint described the broader tactic as an increasingly common form of 'adversary-in-the-middle' phishing, where attackers intercept communications between users and legitimate services.

According to the FBI warning, criminals have increasingly targeted Microsoft 365 users because compromised accounts can provide access to sensitive emails, cloud storage, internal communications, and financial information.

Cybersecurity analysts say Kali365 represents a worrying shift because it bypasses one of the internet's most widely recommended security measures: multi-factor authentication.

Typically, MFA requires users to confirm logins using a second device or code. However, Kali365 sidesteps that protection entirely by stealing active authentication tokens rather than login credentials themselves.

Source: International Business Times UK