Already a subscriber? Make sure to log into your account before viewing this content. You can access your account by hitting the “login” button on the top right corner. Still unable to see the content after signing in? Make sure your card on file is up-to-date.

The FBI has issued a public warning about a new phishing tool that lets cybercriminals break into Microsoft 365 accounts without ever needing the victim’s password.

Getting into it: The platform, called Kali365, first popped up in April and is a “phishing-as-a-service” tool sold mainly through the messaging app Telegram, according to the FBI. What makes it dangerous is that it can bypass multi-factor authentication (MFA) entirely. The attack starts with a phishing email designed to look like a trusted document-sharing or cloud service. The email includes a “device code” and a prompt telling the victim to head to a real Microsoft verification page and punch it in. Because the page really is Microsoft’s, nothing looks off, but once the victim types in that code, they’ve unknowingly handed the attacker access. The hacker then captures the account’s authorization tokens, giving them the run of the victim’s Outlook inbox, Teams chats, and OneDrive documents (and even connected apps like Salesforce) without touching a password or clearing an MFA check.

The bigger concern, experts say, is how easy the tool makes all this. Kali365 hands even unskilled attackers AI-generated phishing lures, ready-made campaign templates, and real-time dashboards for tracking who they’re going after.

Kali365 is part of a fast-growing wave of these “device code” phishing attacks. Cybersecurity firm Arctic Wolf has been tracking a campaign using the platform since early April that hit targets across manufacturing, education, healthcare, finance, and government. A separate operation monitored by the firm Huntress targeted more than 340 organizations across the US, Germany, Canada, Australia, and New Zealand. Similar tools with names like EvilTokens and Tycoon2FA are also circulating, and researchers at Proofpoint warn that “device code phishing is exploding across the threat landscape, with new device code phishing tools emerging every week.”

For protection, the FBI says the strongest defenses sit at the organizational level, recommending that IT teams set up “conditional access policies” to block device code authentication where it isn’t needed, restrict users from carrying their logins from desktop over to mobile, and exclude emergency accounts to avoid getting locked out.

Microsoft, which said it backs the FBI’s recommendations and is “actively working to disrupt” the criminal networks behind these scams, added its own basics: learn to recognize phishing attempts, steer clear of attachments from senders you don’t recognize, and keep your software updated.