FBI sounds alarm on phishing tool that steals Microsoft 365 accounts without passwords

Nypost · May 28, 2026 · 658 words · By Ariel Zilber

Cybersecurity Threat FBI Public Safety Warning Microsoft 365 Vulnerability

headphones Listen to the eFinder podcast briefing

Ready to play

Daily briefing

What to know about Cybersecurity Threat

FBI sounds alarm on phishing tool that steals Microsoft 365 accounts without passwords See more of our coverage in your search results.

Claims checked 12

Techniques found 2

Topics 3

Coverage spectrum

Coverage gap: Low Left coverage

Left0%

Center86%

Right14%

7 sources compared across this story cluster. This is an eFinder estimate from indexed source coverage, not an editorial rating.

What happened

FBI sounds alarm on phishing tool that steals Microsoft 365 accounts without passwords See more of our coverage in your search results.

Why it matters

Add The New York Post on GoogleThe FBI is warning that a new hacking platform is allowing cybercriminals to hijack Microsoft 365 accounts — including Outlook, Teams and OneDrive — while bypassing multi-factor authentication entirely.

Common ground

The bureau posted a public service announcement last week sounding the alarm about the “Phishing-as-a-Service” toolkit known as Kali365, which is being used to steal Microsoft 365 access tokens and gain entry to victim accounts without intercepting passwords.

Perspective signals

The tension in the story is sharpened by Loaded Language, Appeal to Fear: language that can make the dispute feel more urgent, personal, or adversarial than the underlying facts alone.

Follow-up questions

What new context would change how readers understand this Cybersecurity Threat story?
What evidence would most clearly confirm or weaken the claim that sophisticated attack tools are sold to low-skilled criminals via subscription services on Telegram and dark web forums?
How does this story connect Cybersecurity Threat with FBI Public Safety Warning over the next few days?

open_in_new Read the original article: https://nypost.com/2026/05/28/business/fbi-sounds-alarm-on-phishing-tool-that-st…

psychologyPropaganda Techniques Detected

eFinder identified 2 propaganda techniques in this article. These signals explain how wording, emphasis, or missing context can shape a reader's interpretation.

warning

Loaded Language 80% confidence

Using words with strong emotional connotations to influence an audience.

Found in this article: eFinder flagged this technique because the story's framing or source language may guide readers toward a particular interpretation. Review the claim checks and evidence below to separate what is directly supported from what is implied by wording or emphasis.

Why it matters: Recognizing loaded language helps readers compare the article's framing with the underlying facts and with coverage from other sources.

warning

Appeal to Fear 70% confidence

Building support by instilling anxiety or panic in the audience.

Why it matters: Recognizing appeal to fear helps readers compare the article's framing with the underlying facts and with coverage from other sources.

fact_checkClaims Checked

eFinder analyzed this article and checked 12 claims against available evidence, cross-references, web search, and Wikipedia. Here is what the fact-checking layer found.

check_circle Corroborated 10

schedule Pending 2

check_circle

Claim 1: “sophisticated attack tools are sold to low-skilled criminals via subscription services on Telegram and dark web forums.”

CORROBORATED

Sources mention that Kali365 is a subscription service promoted largely through Telegram and targets less-technical attackers.

check_circle

Claim 2: “Victims receive phishing emails impersonating services like SharePoint, OneDrive or Microsoft Teams.”

CORROBORATED

Sources specify that phishing emails impersonate SharePoint, OneDrive, and Teams to lure victims.

travel_explore

web search NEUTRAL — Persistence: The attacker can now access Microsoft 365 services such as Outlook, Teams, and OneDrive without needing a password or completing any additional MFA challenges.
https://www.ic3.gov/PSA/2026/PSA260521

travel_explore

web search NEUTRAL — Persistence : The attacker can now access Microsoft 365 services such as Outlook, Teams, and OneDrive without needing a password or completing any additional MFA challenges. To protect yourself, the F…
https://www.aol.com/articles/fbi-warns-phishing-scam-targeti…

travel_explore

web search NEUTRAL — Phishing email arrives impersonating a Microsoft service (SharePoint, Teams, OneDrive)Device code is provided with instructions to visit a legitimate Microsoft verification page
https://www.probablypwned.com/article/fbi-kali365-phaas-micr…

check_circle

Claim 3: “The FBI is warning that a new hacking platform is allowing cybercriminals to hijack Microsoft 365 accounts — including Outlook, Teams and OneDrive — while bypassing multi-factor authentication entirely.”

CORROBORATED

Multiple independent web sources confirm the FBI issued a warning about the Kali365 platform targeting Microsoft 365 accounts and bypassing MFA.

menu_book

wikipedia NEUTRAL — In 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the United States f…
https://en.wikipedia.org/wiki/2020_United_States_federal_gov…

menu_book

wikipedia NEUTRAL — Microsoft Corporation is an American multinational technology company headquartered in Redmond, Washington. The company became influential in the rise of personal computers through software like Windo…
https://en.wikipedia.org/wiki/Microsoft

menu_book

wikipedia NEUTRAL — Microsoft 365 (previously called Office 365) is a product family of productivity software, collaboration and cloud-based services owned by Microsoft. It encompasses online services such as Outlook.com…
https://en.wikipedia.org/wiki/Microsoft_365

+ 3 more evidence sources

check_circle

Claim 4: “The scheme exploits Microsoft’s legitimate OAuth 2.0 “device code” authentication system”

CORROBORATED

Web results confirm the attack utilizes the OAuth 2.0 device code flow to capture tokens.

travel_explore

web search NEUTRAL — May 21, 2026 · Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity trackin…
https://www.ic3.gov/PSA/2026/PSA260521

travel_explore

web search NEUTRAL — May 22, 2026 · The FBI has issued a new cybersecurity warning about a rapidly emerging phishing-as-a-service (PhaaS) platform named Kali365, which is actively targeting Microsoft 365 users to steal ac…
https://cybersecuritynews.com/kali365-phaas-microsoft-365/

travel_explore

web search NEUTRAL — May 25, 2026 · According to the FBI PSA, Kali365 first emerged in April 2026 and is distributed via Telegram channels for cybercriminals seeking an easier way to compromise Microsoft 365 accounts with…
https://www.bleepingcomputer.com/news/security/fbi-warns-of-…

check_circle

Claim 5: “Once the victim completes the process and passes MFA checks, Microsoft issues valid OAuth access and refresh tokens directly to the attacker.”

CORROBORATED

Technical descriptions of the device code phishing attack confirm that once the victim authorizes the code, the tokens are issued to the attacker's device.

travel_explore

web search NEUTRAL — Device code phishing is the latest AiTM technique using OAuth 2.0 device flow to steal session tokens and bypass MFA – no credentials required.
https://spycloud.com/blog/device-code-phishing-the-new-aitm-…

travel_explore

web search NEUTRAL — Oct 10, 2023 ... In Microsoft Entra ID (formerly Azure AD, in this blog referred to as “Azure AD”), there are different types of OAuth tokens.
https://dirkjanm.io/phishing-for-microsoft-entra-primary-ref…

travel_explore

web search NEUTRAL — May 26, 2026 ... We spent years telling people to turn on MFA. That advice is still right. But the next wave of Microsoft 365 phishing is a reminder that ...
https://www.linkedin.com/posts/rkvincent_kali365-phishing-as…

check_circle

Claim 6: “The bureau said Kali365 was first observed last month”

CORROBORATED

Web search results explicitly state that Kali365 was first spotted in April 2026, which aligns with the 'last month' claim relative to May 2026 reports.

schedule

Claim 7: “Scattered Spider, also known as Octo Tempest, is a notorious English-speaking cybercrime group known for aggressive social engineering and SIM-swapping attacks targeting large corporations.”

PENDING

This claim was extracted as a checkable statement from the article. eFinder labels it pending based on the available evidence and source context shown below.

check_circle

Claim 8: “attackers trick victims into entering a code on a real Microsoft login page, unknowingly authorizing the hacker’s device.”

CORROBORATED

Evidence describes the mechanism as tricking users into entering a device login code on a legitimate Microsoft verification page.

travel_explore

web search NEUTRAL — 7 days ago ... Kali365 device-code phishing is on the rise! Understand how it works to safeguard your Microsoft 365 accounts from potential breaches.
https://www.hornetsecurity.com/en/blog/kali365-device-code-p…

travel_explore

web search NEUTRAL — May 25, 2026 ... The FBI has warned that the Kali365 phishing service is targeting Microsoft 365 users by tricking them into entering a device login code on ...
https://www.linkedin.com/posts/hkcert_fbi-warns-of-kali365-p…

travel_explore

web search NEUTRAL — Jun 1, 2026 ... Kali365: PhaaS Overview Kali365 is an emerging Phishing-as-a-Service (PhaaS) platform that targets Microsoft 365 environments by stealing ...
https://medium.com/@anyrun/kali365-phaas-overview-9906627c5e…

schedule

Claim 9: “Another entity, Storm-2949, has focused on compromising IT administrators and senior executives through abuse of Microsoft password reset systems and cloud authentication tools.”

PENDING

This claim was extracted as a checkable statement from the article. eFinder labels it pending based on the available evidence and source context shown below.

check_circle

Claim 10: “Kali365... is being used to steal Microsoft 365 access tokens and gain entry to victim accounts without intercepting passwords.”

CORROBORATED

Sources explicitly state that Kali365 is used to steal access tokens to gain entry without needing passwords.

travel_explore

web search NEUTRAL — Kali365 phishing kit bypasses MFA and steals Microsoft logins. 27 May.FBI warns scammers can access Outlook, Teams without passwords.
https://news.google.com/stories/CAAqNggKIjBDQklTSGpvSmMzUnZj…

travel_explore

web search NEUTRAL — According to the FBI PSA, Kali365 first emerged in April 2026 and is distributed via Telegram channels for cybercriminals seeking an easier way to compromise Microsoft 365 accounts without stealing pa…
https://www.bleepingcomputer.com/news/security/fbi-warns-of-…

travel_explore

web search NEUTRAL — Kali365 device-code phishing is on the rise! Understand how it works to safeguard your Microsoft 365 accounts from potential breaches.The Kali365 landing page. How the Microsoft device-code phishing w…
https://www.hornetsecurity.com/en/blog/kali365-device-code-p…

check_circle

Claim 11: “The FBI warned that attackers can maintain persistent access to accounts until the stolen tokens are manually revoked.”

CORROBORATED

General evidence on OAuth token theft confirms that stolen tokens provide persistent access until they expire or are manually revoked.

travel_explore

web search NEUTRAL — Feb 6, 2026 ... A stolen token grants attackers the same access as the legitimate user who originally authenticated, without requiring the attacker to know ...
https://www.obsidiansecurity.com/blog/what-is-token-theft-oa…

travel_explore

web search NEUTRAL — The core challenge with OAuth is that every new connection increases the attack surface (the number of ways in which an attacker could try to access sensitive ...
https://appomni.com/learn/saas-security-fundamentals/oauth-t…

travel_explore

web search NEUTRAL — Oct 24, 2025 ... Modern Single-Sign-On (SSO) and OAuth ecosystems can be high-value targets: attackers steal session tokens or cookies to hijack accounts and ...
https://medium.com/@maxwellcross/breaking-sso-oauth-token-th…

check_circle

Claim 12: “The bureau posted a public service announcement last week sounding the alarm about the “Phishing-as-a-Service” toolkit known as Kali365”

CORROBORATED

Multiple sources confirm the FBI released a PSA regarding a 'Phishing-as-a-Service' toolkit specifically named Kali365.

travel_explore

web search NEUTRAL — Kali365: the phishing kit bypassing Microsoft 365 security A new phishing kit called Kali365 can hijack Microsoft 365 accounts even when MFA is on.A new phishing‑as‑a‑service toolkit is showing that M…
https://www.linkedin.com/posts/twin-cities-technology-profes…

travel_explore

web search NEUTRAL — Kali365 is a subscription service for scammers that was first spotted in April 2026, and has been promoted largely through Telegram. It is a turnkey toolkit that allows even non-technical fraudsters t…
https://www.bitdefender.com/en-us/blog/hotforsecurity/fbi-ka…

travel_explore

web search NEUTRAL — Kali365 Phishing-as-a-Service Kit Hijacks Microsoft 365 Access TokensThe Federal Bureau of Investigation (FBI) is issuing this Public Service Announcement (PSA) to warn the public about an emerging Ph…
https://timesofindia.indiatimes.com/technology/tech-news/fbi…

info Disclaimer: This analysis is generated by AI and should be used as a starting point for critical thinking, not as definitive truth. Claims are verified against publicly available sources. Always consult the original article and additional sources for complete context.