Millions of people who rely on Microsoft 365 services are being urged to stay alert after the FBI issued a warning about a rapidly growing phishing scam capable of bypassing common security measures.

According to the FBI, cybercriminals are using a technique known as “Kali365” to gain access to Microsoft accounts without stealing passwords. The scam targets popular services including Outlook, Teams and OneDrive, putting both individuals and organizations at risk.

How the Scam Works

Attackers send emails that appear to come from legitimate cloud-based productivity or document-sharing services. The message instructs recipients to visit an authentic Microsoft verification page and enter a device code provided in the email.

Because the verification page is genuine, many users assume the request is safe. However, entering the code can unknowingly grant cybercriminals access to the account through stolen OAuth authentication tokens.

Why Experts Are Concerned

Once access is obtained, attackers may be able to view emails, files and communications across Microsoft services without needing a password or additional multi-factor authentication checks. Security experts warn that stolen account access can be used for data theft, fraud, extortion and even ransomware attacks.

The FBI also noted that the scam lowers the technical barrier for cybercriminals by using automated phishing tools and AI-generated lures, allowing a wider range of attackers to launch convincing campaigns.

How to Protect Yourself

Users should be cautious of unsolicited emails or text messages that request account verification or login actions. Experts recommend verifying requests directly with the organization involved and avoiding links or phone numbers provided in suspicious messages.

Carefully inspect email addresses, website URLs and spelling errors, as scammers often rely on subtle differences to impersonate trusted companies. Attachments from unknown senders should also be treated with caution.

What to Do If You Suspect a Compromise

Anyone who believes they may have fallen victim to the scam should immediately review recent account activity, check for unfamiliar devices or login sessions and report the incident to the FBI’s Internet Crime Complaint Center (IC3).

As phishing attacks continue to evolve, cybersecurity experts stress that awareness remains one of the most effective defenses against account takeover attempts.