Hackers Found New Way to Penetrate Microsoft Accounts Without Passwords, FBI Warns

by · Legit.ng News · Join
  • The FBI warned that a new phishing platform called Kali365 had targeted Microsoft 365 users by exploiting the company's legitimate device code sign in process
  • Cybercriminals were able to gain access to Outlook, Teams and OneDrive accounts without stealing passwords by capturing OAuth access tokens
  • Users were advised to avoid entering device codes received through unexpected emails and to review account activity for suspicious logins

Find it fast with our new search feature at Legit.ng!

A new cyber threat targeting Microsoft 365 users has prompted a warning from the United States Federal Bureau of Investigation (FBI), with criminals now using a sophisticated phishing technique capable of bypassing passwords and even multifactor authentication.

The campaign centres on a phishing service known as Kali365, which gives cybercriminals ready-made tools to compromise Microsoft accounts linked to Outlook, Teams and OneDrive. Security experts say the attack does not rely on stealing passwords.

The FBI warned Microsoft users about a sophisticated phishing campaign targeting Microsoft 365 accounts. Photo: GettySource: Getty Images

Instead, it tricks victims into approving access through Microsoft's legitimate device code sign in process.

The Hidden Reasons Internet Data Finishes Faster Than Before as Nigerian Subscribers ComplainMany Nigerians report fast mobile data depletion despite unchanged usage. The NCC identifies factors and offers tips to manage data efficiently...Victor Enengedi, https://www.facebook.com/legitngnews, 26 Jun 2026

How does Kali365 phishing attack work?

According to the FBI as reported by Fox News, Kali365 first appeared in April 2026 and has largely been distributed through Telegram. The platform provides attackers with artificial intelligence-generated phishing messages, campaign templates and tools that capture OAuth tokens, allowing criminals to gain access to user accounts.

From breaking news to viral moments. Follow Legit.ng on Instagram.

The attack begins with a phishing email disguised as a message from a trusted productivity or file-sharing service. Victims are instructed to enter a device code on an authentic Microsoft verification page. Although the website is genuine, entering the code unknowingly grants access to the attacker's device.

Once approved, criminals can obtain access and refresh tokens that allow them to use Microsoft services without requesting the victim's password or another multifactor authentication prompt.

Why should Microsoft users be concerned?

Cybersecurity experts warned that the technique poses a serious risk because it abuses a trusted Microsoft feature rather than exploiting a fake website. Password managers may not detect anything suspicious because users are directed to an authentic Microsoft page.

How Free POS Devices and Airtime Credit Technology Are Helping Young Nigerians Create Their Own JobsTechnology is transforming Nigeria’s entrepreneurship landscape by enabling young people to launch airtime and data businesses, creating new income opportunities.Dave Ibemere, https://www.facebook.com/legitngnews, 25 Jun 2026
FBI warns Microsoft users as new phishing scam bypasses password protection. Photo: GettySource: Getty Images

Small businesses could be particularly vulnerable. A compromised Microsoft 365 account may expose emails, invoices, customer information, shared documents and internal conversations. Criminals could also impersonate legitimate employees to deceive colleagues, suppliers or clients.

Microsoft said users should follow the FBI's recommendations and the company's own security guidance to defend against Kali365 and similar attacks.

The technology company added that it continues to disrupt criminal networks linked to phishing as a service and account takeover campaigns.

How can users protect their accounts?

The FBI advised users to enter a Microsoft device code only when they personally initiated the sign in process. It also recommended avoiding links contained in unexpected emails or messages and instead accessing Microsoft services directly through an official website.

Users are encouraged to review recent account activity, revoke suspicious sessions and report any suspected compromise immediately.

Organisations were also urged to restrict device code sign in where it is not required and provide staff with training on recognising this emerging phishing method.

WhatsApp Ends Secret Online Status With New Green Dot Feature for Android UsersWhatsApp rolls out a green dot indicator for Android beta users, enhancing online status visibility while prioritising privacy controls during gradual implementationPascal Oparada, https://www.facebook.com/legitngnews, 22 Jun 2026

Security experts said exercising caution before approving unexpected login requests remains one of the most effective ways to prevent unauthorised access to Microsoft accounts.

Yahoo Boys: American woman shares experience

Earlier, Legit.ng reported that an American woman recounted how two 'Yahoo Boys' duped her of significant sums in romance scams, despite her ongoing admiration for Nigerian men.

In a viral video, she detailed her encounters, revealing how the scammers manipulated her emotions and finances.

She displayed the young Nigerian's picture and the one he used for his unsuspecting victims.