{“lastseen”:”2026-05-27T12:05:07″,”description”:”When the Federal Bureau of Investigation (FBI) publishes a dedicated public service announcement about a new phishing kit, it\u2019s worth paying attention to.\\n\\nThe agency is now warning about \u201cKali365,\u201d a phishing\u2011as\u2011a\u2011service (PhaaS) platform that helps even low\u2011skilled attackers hijack Microsoft 365 accounts by stealing access tokens instead of passwords.\\n\\nAlthough early reporting focuses on attacks against organizations, the underlying technique works just as easily against individual Microsoft 365 users who are tricked into entering a short code on a real Microsoft website. In other words, this is not just a business or IT department problem. It could affect anyone with an Outlook, OneDrive, or Microsoft 365 subscription.\\n\\nFor cybercriminals using the kit, it offers three clear advantages:\\n\\n * It bypasses multi\u2011factor authentication (MFA) by stealing access tokens, so extra codes or apps no longer help once the token is compromised.\\n * Kali365 provides ongoing access. The attackers can keep using Outlook, Teams, and OneDrive without repeatedly logging in, as long as the stolen refresh token remains valid.\\n * Little technical skill needed. Cybercriminals can subscribe to Kali365 and immediately run token\u2011stealing campaigns at scale.\\n\\n\\n\\n## What does the attack look like?\\n\\nVictims receive a phishing message that looks like it comes from a cloud service or collaboration tool, such as a document\u2011sharing notification or Teams invite. The message includes a short \u201cdevice code\u201d and instructions like: \u201cGo to Microsoft\u2019s verification page and enter this code to view the document.\u201d\\n\\n* * *\\n\\n\\n\\n### Scam or legit? Scam Guard knows.\\n\\nTRY IT NOW\\n\\n* * *\\n\\nUnlike many phishing emails, this one sends you to a real Microsoft URL used for device sign\u2011in flows. To the user, the page looks familiar and completely legitimate, which lowers suspicion.\\n\\nVictims then see the standard Microsoft sign\u2011in and consent screens and may think they are simply completing a normal security check. They never see a fake page, never type their password into a suspicious form, and may even see their organization\u2019s branding.\\n\\nBut what they don\u2019t realize is that they have handed access to the attacker.\\n\\nOnce the victim approves the request, the attacker\u2019s device receives OAuth access and refresh tokens tied to the victim\u2019s Microsoft 365 account. These tokens are what Microsoft uses to \u201cremember\u201d that you have already logged in, and they can be reused to access Outlook, OneDrive, Teams, and other Microsoft services without entering a password again.\\n\\nWith valid refresh tokens, attackers can maintain long\u2011term access until the tokens are revoked or expire, often blending in with normal account activity.\\n\\nThat access can allow cybercriminals to:\\n\\n * Read Outlook emails, including password reset messages\\n * Access files stored in OneDrive or SharePoint\\n * Send phishing emails to coworkers, customers, friends, or family from the victim’s account\\n\\n\\n\\n## How to protect yourself\\n\\nOnce in Outlook, attackers can not only read your messages but also send convincing new ones from your address, using your identity to compromise additional accounts and contacts.\\n\\nSome tips to steer clear of this one:\\n\\n * Never enter a code at a Microsoft login page just because an email or message tells you to. You should only do this when you initiated the sign\u2011in yourself on your own device.\\n * Slow down and read the prompts. Rushing through login approvals without reading them carefully can be costly.\\n * Be suspicious of unexpected document shares, Teams invites, or login requests, even if they use legitimate Microsoft pages.\\n * Review which devices are logged in under your account at https:\/\/account.microsoft.com\/devices\/. If you see unfamiliar devices or sign\u2011ins, remove them, change your Microsoft account password, and review your security settings.\\n\\n\\n\\nPro tip: Malwarebytes Scam Guard can help you figure out if a message is a scam.\\n\\n* * *\\n\\n****Let ‘s face it, an incognito window can only do so much.** \\n \\n**Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protection monitors for all of it, alerts you fast, and comes with identity theft insurance.”,”published”:”2026-05-27T11:41:54″,”modified”:”2026-05-27T11:41:54″,”type”:”malwarebytes”,”title”:”Kali365 phishing kit bypasses MFA and steals Microsoft logins”,”source”:””,”references”:””,”id”:”MALWAREBYTES:CCB440196E8F4C999E5A1A5D3059D05A”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/scams\/2026\/05\/kali365-phishing-kit-bypasses-mfa-and-steals-microsoft-logins”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-27T12:05:07″,”description”:”When the Federal Bureau of Investigation (FBI) publishes a dedicated public service announcement about a new phishing kit, it\u2019s worth paying attention to.\\n\\nThe agency is…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-57388","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n