FBI warns Outlook, Teams and OneDrive users about new scam

This fast-growing scam is letting attackers slip past passwords and MFA protections

Attackers are tricking users into handing over account access with a simple verification code | ©Image Credit: Unsplash / Ed Hardie
Attackers are tricking users into handing over account access with a simple verification code | ©Image Credit: Unsplash / Ed Hardie

Most phishing scams try to trick you into typing your password into a fake website. But there is one that doesn’t even need your password.

The Federal Bureau of Investigation is warning about a fast-growing scam targeting users of Microsoft 365 apps like Microsoft Outlook, Microsoft Teams, and Microsoft OneDrive. It works by abusing a real Microsoft login system.

Let’s look into the scam.

The Kali365 scam

According to the FBI, attackers are using something called OAuth device codes to gain access to accounts. Normally, these codes are legitimate.

They are designed to let devices or apps securely connect to your Microsoft account without sharing your password directly. But scammers figured out how to weaponize that process.

The attack campaign, referred to as Kali365, has a surprisingly normal setup. Instead of sending victims to fake login websites, attackers send phishing emails that direct users to legitimate Microsoft verification pages. That’s what makes the attack harder to spot.

The email usually includes a device verification code, instructions to enter it on Microsoft’s real website, and language that looks like a normal cloud-sharing or document request.

The victim enters the provided code into the Microsoft verification page. At that point, the attacker captures the authentication token connected to the session. And once they have that token, they can access Outlook, Teams, OneDrive, and other Microsoft 365 services without needing your password, your MFA code, or any other login prompt.

The scam lowers the barrier for cybercriminals

Per the FBI, attackers now have access to AI-generated phishing emails, automated attack templates, tracking dashboards, and token-stealing tools. This means people with less technical skill can launch much more convincing scams.

And because the attack uses legitimate Microsoft systems during part of the process, it can feel more believable than a typical fake login page.

What the FBI says you should watch for

The biggest red flags include unsolicited verification requests, unexpected device codes, and login prompts tied to emails you weren’t expecting. Even if the Microsoft page itself looks real.

Keep in mind that in this case, the scam isn’t the website but the code.

And if you think you were targeted, the FBI advises you to report it to the Internet Crime Complaint Center (IC3). Users should also save phishing emails, suspicious login activity, unknown devices, or unfamiliar sessions connected to the account.

Immediately revoking suspicious sessions and changing account credentials is also always a good idea.

Source: AL.com