FBI warns Kali365 can hijack Microsoft 365 logins

The FBI warned Thursday that attackers are using Kali365 to hijack Microsoft 365 accounts by stealing access tokens rather than passwords. Outlook, Teams and other workplace services can remain exposed after a victim has already signed in.

In a public advisory, the bureau said Kali365 is sold as a phishing-as-a-service offering. The kit captures authentication data and reuses session tokens created during a legitimate login. At companies that route email, chat and cloud files through one Microsoft identity, one stolen token can unlock several services at once.

Rather than crack credentials, the attacker can step into a live session that the system already treats as authenticated.

That can let intruders slip past normal login checks and even multi-factor prompts, the FBI said. No password reset is required before access is taken.

“Kali365 lowers the barrier of entry,” the FBI said. The bureau said the service gives less sophisticated criminals a ready-made way to run account-takeover campaigns at scale, though it did not provide a public tally of compromised accounts.

It said the threat was serious enough for a nationwide Internet Crime Complaint Center notice.

The Hill reported that Microsoft said it was “actively working to disrupt the cybercriminal ecosystems behind phishing-as-a-service and account takeover activity to protect our customers.” Microsoft did not announce a separate product change in the statement cited by the outlet, and the FBI warning shifts security teams toward hijacked sessions as much as stolen passwords.