New AI Attack Bypasses Microsoft 365 Security, FBI Warns
The FBI has alerted Microsoft 365 users to a new AI-powered phishing attack, dubbed Kali365, that can steal access tokens and bypass multi-factor authentication. The threat uses legitimate Microsoft infrastructure to trick users into granting unauthorized account access.
The Federal Bureau of Investigation (FBI) issued a public warning on May 21, 2026, concerning a sophisticated new artificial intelligence-powered attack that enables malicious actors to steal Microsoft 365 access tokens and circumvent multi-factor authentication (MFA) protocols. The attack, known as Kali365, exploits Microsoft's own authentication infrastructure, allowing threat actors to gain access without needing to intercept user credentials directly.
Kali365 operates as a phishing-as-a-service (PhaaS) platform, democratizing advanced attack techniques for less technically adept cybercriminals. According to the FBI's advisory, the service provides access to AI-generated phishing lures, automated campaign templates, real-time tracking dashboards for targeted individuals and entities, and capabilities for capturing OAuth tokens. This lowers the barrier to entry significantly, enabling a wider range of attackers to target Microsoft 365 accounts.
The attack typically begins with a phishing email designed to impersonate trusted cloud productivity or document-sharing services. Recipients are then presented with a device code and instructed to visit a legitimate Microsoft verification page to enter it. By pasting the code into the prompted page, users unknowingly share their OAuth access codes with the attacker, who can then use these tokens to access the victim's Microsoft 365 services, including Outlook, Teams, and OneDrive, without requiring a password or further MFA challenges.
Context and Mitigation Strategies
The emergence of Kali365 highlights a growing trend in cyber threats where AI and accessible phishing toolkits are being weaponized. Proofpoint, a cybersecurity firm, has noted an explosion in "device code phishing" across the threat landscape, with new tools appearing weekly. This surge correlates with the public release of criminal toolkits and the proliferation of PhaaS offerings, making such attacks more prevalent and easier to execute.
For organizations, mitigation can involve enterprise-level security measures such as blocking device authentication or implementing conditional access policies. These strategies can help prevent or limit the scope of device code phishing attacks. However, for individual users, heightened awareness and adherence to security best practices are critical. Understanding that credentials can be compromised in this manner and subsequently used on an attacker's machine is paramount.
Cybersecurity experts emphasize the importance of exercising extreme caution with unsolicited emails. Users should be wary of any email prompting an action or containing a link, especially if it pertains to documents they are not expecting. Verifying the legitimacy of an email before clicking on any links or providing information is a crucial step in defending against these evolving threats. The FBI's warning serves as a stark reminder that even established security protocols like MFA are not impervious to novel attack vectors.