(NEXSTAR) – A new phishing tool is allowing cyber attackers to get access to Microsoft 365 users’ accounts without even needing to know your password, the FBI said in a warning issued to the public on Thursday.

The phishing platform, called Kali365, was first seen in April, according to the FBI. It’s primarily distributed through the messaging app Telegram and allows cyber attackers to bypass multi-factor authentication.

The scam starts with a lure, typically a phishing email impersonating a trusted source like a document sharing service. “This phishing email contains a device code with instructions to visit a legitimate Microsoft verification page and enter the code,” the FBI warns.

Once you navigate to the real Microsoft page and paste in the code, you’d be unwittingly authorizing the attacker to access your account. From there, they can capture authorization tokens that grant them access to your Microsoft 365 software, including Outlook email, Teams messages and OneDrive files. They won’t need to know your password or use multi-factor authentication to access your account.

This new phising platform, Kali365, makes it easier for unskilled attackers to steal authorization codes, using AI-generated phishing lures, and target and track individuals in real time, the FBI says.

To protect yourself from a Kali365 attack, the FBI recommends:

Creating a “conditional access policy,” which will block all users from device code flow, with limited exceptions

Checking who currently has access to code flow usage, making sure they are legitimate

Blocking the ability for users to transfer authentication from computers to mobile devices

Exclude emergency access accounts to prevent lockouts

A Microsoft spokesperson tells Nexstar the company agrees with the FBI guidance and adds a few more best practices:

Learn to spot phishing attempts in the first place so you don’t fall prey to scammers

Don’t open files from unknown senders, which could download malware to your device

Make sure your operating system and applications are updated with the latest fixes

The company adds it is “actively working to disrupt the cybercriminal ecosystems behind phishing-as-a-service and account takeover activity to protect our customers.”

Copyright 2026 Nexstar Media, Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.

For the latest news, weather, sports, and streaming video, head to The Hill.