TheFBIhas warned that hackers can now break into Microsoft Outlook, Teams, and 365 accounts without a password, after identifying a phishing tool known asKali365that has been circulating since April and is already being used to hijack user access.
The reports came after the FBI issued a public alert outlining how the tool works and why it poses a different kind of risk. Unlike conventional phishing attempts that rely on stolen passwords, Kali365 exploits Microsoft's own authentication system, meaning even users with multi-factor authentication enabled could still be exposed.
According to the FBI, attackers begin by sending emails that appear to come from legitimate services such as document-sharing platforms. These messages include a device code and instructions directing users to a genuine Microsoft verification page.
At first glance, the process looks routine. The page is real, and the steps mirror standard login procedures. The problem lies in what happens next. By entering the code, users are not signing into their own account in the usual sense. Instead, they are unknowingly authorising the attacker's session.
Once access is granted, the attacker can capture authentication tokens that grant access to Microsoft 365 services. This includes Outlook emails, Teams conversations and files stored on OneDrive. The FBI said this method allows continued access without triggering password checks or additional authentication prompts.
The agency also pointed to the growing accessibility of the tool. Kali365 is distributed via Telegram and is designed for use even by those with limited technical knowledge. It incorporates AI-generated phishing messages and includes features that allow attackers to monitor targets in real time. That combination lowers the barrier to entry. What once required a degree of expertise can now be carried out with minimal skill, increasing the volume and reach of attacks.
The FBI has outlined several defensive steps, though some require administrative control over organisational systems rather than individual action. One key recommendation is to restrict the device code flow feature, which allows users to authenticate across devices. Limiting or disabling this function can close off the pathway that Kali365 exploits.
Organisations are also advised to audit who currently has permission to use device code authentication and remove any unnecessary access. Another measure involves blocking the transfer of authentication sessions between devices, which can prevent attackers from maintaining control once access is granted.
There is also a caution to preserve emergency access accounts. These should remain exempt from restrictions to avoid accidental lockouts during security changes.
Microsoft, responding to the FBI alert through a statement to Nexstar, said it supports the guidance and is continuing efforts to disrupt what it described as 'cybercriminal ecosystems' built around phishing services and account takeovers.
Source: International Business Times UK
