FBI Warning: $250 Hack Puts You In Danger

Person typing on laptop with mail warning icons.
FBI WARNING SHOCKER

The FBI just confirmed there is now a $250-a-month hacking “subscription” that can break into your Outlook, Teams, and OneDrive without ever knowing your password.

Story Snapshot

  • Kali365 lets low-skill scammers hijack Microsoft 365 accounts by stealing tokens, not passwords
  • The FBI says this kit can bypass multi-factor authentication and keep long-term access to your data
  • Attackers use real Microsoft pages and simple device codes, so the usual “look for fakes” advice fails
  • One simple rule about codes stops most of these attacks before they start

How Kali365 Turns Everyday Workers Into Prime Targets

FBI investigators say Kali365 is a “phishing-as-a-service” platform built to break into Microsoft 365 accounts at scale, including Outlook, Teams, and OneDrive.

The kit is sold to criminals like software, with a subscription reportedly starting at a few hundred dollars per month, and it gives them ready-made tools to run campaigns without real technical skill.

The FBI’s alert states that Kali365 focuses on stealing Microsoft 365 access tokens and bypassing multi-factor authentication rather than stealing passwords directly.

The people behind Kali365 do not need to be expert hackers. They rent a dashboard, pick from prebuilt phishing templates, and launch attacks that impersonate trusted cloud or document-sharing services such as file-sharing notifications or collaboration invites.

The FBI and independent reporting both describe how these lures are polished and tailored, often generated with artificial intelligence, and designed to blend into normal business traffic so busy users click first and think later.[2]

The Trick: Real Microsoft Page, Fake Approval

The core of this attack abuses something Microsoft built to make your life easier: the “device code” sign-in flow. That flow exists so you can sign in to services on devices like smart TVs or conference room screens by typing a short code on another device. Kali365 hijacks that process.

The phishing email includes a legitimate-looking device code and directs the user to a real Microsoft verification page to enter it.[1]

When the victim does exactly that, they feel safe. The page has the real Microsoft address, a padlock icon, and a familiar design. But they are not signing up for a television.

They are approving the attacker’s application. Once that code is entered, Microsoft issues OAuth access and refresh tokens to the attacker’s registered app, not the user’s device. Those tokens function like long-lived keys that say, “This person is already logged in; let them continue.”

Why Multi-Factor Authentication Fails Against Token Theft

Many companies spent years forcing employees to enable multi-factor authentication and then felt the job was done. Kali365 exposes the blind spot in that thinking.

The FBI explains that this kit lets attackers bypass multi-factor authentication without ever intercepting credentials by riding on the user’s own successful login and harvesting the resulting tokens.

Multi-factor authentication protects the moment you enter your password and code; token theft jumps in right after that moment has passed.

Once Kali365 operators have valid access and refresh tokens, they can quietly open Outlook, Teams, OneDrive, and other Microsoft 365 services associated with that account.

Reports describe persistent access in which attackers read email, monitor invoices, reset passwords on connected services, and copy or encrypt files. Because the session looks like a normal, previously approved device, many security systems and users never spot anything wrong until money or data disappears.[1]

A Growing Crime Business, Not Just A One-Off Hack

Security researchers who dug into the Kali365 ecosystem describe it as more of a full cybercrime franchise than a simple phishing page. One detailed analysis found multiple control panels, more than thirty built-in lures, token management tools, and even features to help launch business email compromise schemes once an inbox is stolen.

The platform includes real-time victim tracking dashboards and automated campaign templates, echoing the FBI’s warning that it “lowers the barrier of entry” for less-skilled attackers.

From this point of view, this is exactly what happens when big technology firms centralize identity, pile everything into one cloud, and then tell the public “don’t worry, multi-factor fixes it.”

The FBI’s public service announcement and follow-on coverage show that criminals adapt faster than large bureaucracies and large software vendors. Kali365 does not break encryption; it exploits human trust and poorly controlled features.

The One Habit That Stops Most Kali365 Attacks Cold

The good news is that the same FBI alert that rang the alarm also gives simple steps that work in regular homes and small businesses, not just big corporations.

First, never enter a code on a Microsoft verification page unless you personally started that sign-in on your own device. If an email or text you did not request tells you to type in a code, treat it as hostile and delete or report it.

For organizations, security experts recommend disabling the device code sign-in flow when it is not necessary and using conditional access rules to ensure only known devices and locations can connect.[1]

Regular users should report strange login alerts, unknown devices, or unrequested codes, and should not click links in surprise “you have a shared file” messages.

The basic mix of skepticism, clear rules, and tighter technical controls reflects the same values that keep a household safe: trust earned slowly, access granted carefully, and responsibility pushed down to the individual, not just up to distant tech giants.

Sources:

[1] Web – FBI issues urgent Kali365 security warning for Teams, Outlook, …

[2] Web – FBI warns of Kali365 phishing scam targeting Microsoft 365 users

RELATED ARTICLESMORE FROM AUTHOR

© 2026 Priority News Now. All Rights Reserved.