Beware: A New Token‑Stealing Scam Hits Microsoft Teams, Outlook and OneDrive

The FBI’s cyber‑crime division has issued a warning about Kali365, an online service that steals Microsoft 365 access tokens. These tokens let attackers use accounts without passwords or MFA, and the tool has already caused hundreds of confirmed attacks since April 2026.

How Kali365 Operates

1. Phishing Emails

   • Fake file‑sharing alerts lure victims to a real Microsoft verification page.
   • Users enter a code that the attacker has already supplied.

2. Token Capture

   • Because the page is legitimate, no warning appears.
   • The attacker receives a token that grants permanent access—essentially a master key.

3. Service Features

   • Available on Telegram for about $250/month or $2,000/year.
   • Includes AI‑generated phishing templates, automated campaign tools, and dashboards to track token usage.

Why Small Businesses Are at Risk

• Many rely on a single Outlook inbox for both customer and internal communication.
• Contracts and financial documents are stored in OneDrive.
• A stolen token lets attackers read mail, copy documents, and roam the network for weeks—often undetected because the session appears legitimate.

FBI Recommendations

• Report Suspicious Activity: Use the FBI complaint center and preserve evidence (email headers, IPs, login times).
• Audit OAuth Apps: Check the Microsoft 365 admin center for unfamiliar app permissions and remove them immediately.
• Enable Sign‑In Risk Policies: Block or flag unusual device‑code authorizations.
• Staff Training: Teach employees to be skeptical of requests that direct them to Microsoft verification URLs.

The Bottom Line

Protecting passwords alone is no longer sufficient. Businesses must also guard the tokens that grant access to cloud services, especially when attackers can purchase ready‑made kits like Kali365.