FBI Warning: New Microsoft 365 Phishing Attack Can Get Around MFA
If your business uses Microsoft 365, this latest FBI warning is worth paying attention to. At EON Consulting, we’re watching this closely because this kind of phishing attack can trick people into approving access through a real Microsoft sign-in process, which can let attackers get into Outlook, Teams, OneDrive, and other important systems even when MFA is turned on.
In May 2026, the FBI warned about a phishing-as-a-service platform called Kali365 that is targeting Microsoft 365 users by abusing legitimate Microsoft sign-in workflows instead of stealing passwords in the traditional way.
In this post, we’ll explain what’s happening, why it matters, and what organizations should do now to reduce risk.
What Businesses Need to Understand About This Attack
The FBI warns that Kali365 is a phishing-as-a-service platform targeting Microsoft 365 accounts.
This attack uses a real Microsoft sign-in method to trick users into granting access, which can get around the protection people expect from MFA.
Businesses should review Microsoft 365 sign-in settings, limit risky login methods, and strengthen cybersecurity awareness training.
For organizations in Denton, Dallas-Fort Worth, and across North Texas, this threat creates real compliance, privacy, and business continuity risk.
How the Attack Works
Most phishing attacks are designed to steal usernames, passwords, or MFA codes. This one works differently.
Kali365 is designed to trick users into approving access themselves. Instead of stealing a password, the attacker gets the user to authorize a session through a real Microsoft verification page.
A typical attack looks like this:
The user receives a phishing email that appears to come from a trusted cloud or file-sharing service
The message includes a device code and instructions to go to a real Microsoft verification page
The user enters the code, believing they are completing a legitimate sign-in step
That action gives the attacker access to the account without needing the user’s password.
That means no password is stolen and no MFA prompt is intercepted. The user unknowingly approves access.
Once those tokens are captured, attackers may be able to access services like Outlook, Teams, and OneDrive without triggering another login challenge.
That is what makes this threat especially serious.
Why This Matters More Than a Typical Phishing Email
This attack stands out for a few key reasons:
It Works Around Traditional MFA Assumptions
Many organizations have invested in MFA and assume that adds enough protection. In this case, attackers are abusing a legitimate Microsoft authentication flow so the user authorizes the attacker’s session. The FBI specifically recommends restricting device code flow and using conditional access policies to reduce this risk.
It Creates Persistent Access
Attackers are not just trying to get in once. If they gain access, they may be able to stay connected longer than many businesses would expect.
It Lowers the Barrier for Attackers
Because Kali365 is offered as a service and reportedly distributed through Telegram, less technical attackers can launch more sophisticated campaigns than in the past.
It Targets Business Workflows
Because the attack uses a real Microsoft page and familiar workflow, it can look legitimate to busy employees. That makes it harder to spot than a traditional fake login page.
Why Regulated Organizations Should Pay Close Attention
This is especially important for organizations in regulated industries such as financial services, healthcare, and government, where Microsoft 365 often plays a central role in communication, collaboration, and document storage.
These environments tend to face higher exposure because they often have:
Heavy dependence on Microsoft 365 (email, Teams, document storage)
Users regularly interact with external links, shared files, and verification prompts
Regulatory expectations around access control, monitoring, and incident response
If an attacker gains access to even one Microsoft 365 account, the impact can spread quickly. They may be able to:
Monitor internal communications
Intercept sensitive documents
Launch internal phishing or business email compromise attacks
Establish lateral movement across the environment
This makes the issue more than a technical problem. It is also a business continuity, privacy, and compliance concern.
What the FBI Recommends
The FBI has already outlined practical steps organizations should take to reduce exposure.
That includes:
Limit or turn off device code sign-ins where they are not needed
Use Microsoft 365 access rules to reduce the chance of stolen access being misused
Audit which users or apps rely on these authentication methods
Block authentication transfer between devices where possible
For many organizations, the challenge is not awareness. It is implementation.
Common obstacles include:
It requires careful configuration to avoid breaking workflows
Organizations may not yet have conditional access policies in place to tightly control high-risk authentication flows
There’s a lack of visibility into how authentication methods are being used
That is where many security gaps still exist today.
The Human Factor Still Matters
Even with the right technical controls, this attack still depends on one thing.
The user.
If a user doesn’t recognize that entering a device code is unusual or suspicious, they can unintentionally grant access. And because this uses legitimate Microsoft pages, traditional “hover over the link” training doesn’t always catch it.
This is why phishing protection has to go beyond basic awareness.
You need:
Training that reflects modern attack techniques, not just legacy phishing
Simulations that include authorization-based attacks, not just fake login pages
Clear internal processes for reporting suspicious prompts and requests
Without that, even well-secured environments can be compromised.
How We’re Addressing This at EON
Across the clients we support in Denton, Dallas-Fort Worth, and throughout North Texas, we’re already helping businesses strengthen Microsoft 365 security, reduce phishing risk, and improve day-to-day cybersecurity resilience.
Our approach focuses on three layers:
1. Email and Identity Protection
We implement and fine-tune Microsoft 365 security controls, including:
Conditional access policies aligned with FBI guidance
Restrictions on device code flow and risky authentication methods
Advanced threat protection for email and collaboration tools
2. Continuous Monitoring
We actively monitor for:
Suspicious token activity
Unusual login patterns
Unauthorized session persistence
This matters because once an attacker is approved, some of the usual password-based warning signs may be easier to miss.
3. Real-World Phishing Training
We train users based on what attackers are actually doing today, including:
Scenarios where users are asked to enter a code into a real Microsoft page
Cases where a user is tricked into approving access for the wrong person or app
Business email compromise patterns
This isn’t checkbox training. It’s built around stopping real attacks like this one.
Final Thought
This FBI warning is a good example of where the threat landscape is heading.
Attackers are no longer trying to break authentication systems. They’re using them exactly as designed, just with the wrong intent.
For organizations across Dallas-Fort Worth, especially financial institutions and other regulated industries, that means the standard playbook needs to evolve.
If your current strategy is built around passwords, MFA, and basic phishing awareness, there’s a gap.
And attackers are already exploiting it.
If you need help assessing your Microsoft 365 security posture, reducing phishing risk, or tightening identity protection across your environment, EON Consulting provides managed IT services, cybersecurity services, and Microsoft 365 security support for businesses in Denton, Dallas-Fort Worth, and across the DFW area.