Beware: A New Token‑Stealing Scam Hits Microsoft Teams, Outlook and OneDrive
USASat May 30 2026
A recent warning from the FBI’s cyber‑crime division tells users of Microsoft Teams, Outlook and OneDrive that a new online service called Kali365 is stealing access tokens. These tokens let attackers use Microsoft 365 accounts without ever guessing a password or triggering multi‑factor authentication. The tool was first spotted in April 2026 and has already caused hundreds of confirmed attacks.
Kali365 tricks people by sending fake emails that look like normal file‑sharing alerts. The victim is told to go to a real Microsoft verification page and type in a code that the attacker has already sent. Because the page is legitimate, users see no warning. Instead of authorizing a new device, they give the attacker a token that works forever. The token is like a key that opens all doors in the account.
The service sells itself on Telegram for about $250 a month or $2, 000 a year. That price is low enough that even attackers with little technical skill can buy it. Kali365 also offers AI‑generated phishing templates, automated campaign tools and dashboards that let attackers track who is using their tokens. The result is a cheap, ready‑made kit for stealing Microsoft accounts.
Small businesses are especially vulnerable. Many of them rely on a single Outlook inbox for both customer emails and internal messages, and keep contracts and financial files in OneDrive. If an attacker gets a token, they can read mail, copy documents and move around the network for weeks before anyone notices. Traditional security tools that watch for bad login attempts will not see anything wrong, because the token is a legitimate session.
The FBI advises users to report any suspicious activity through its complaint center and keep evidence such as email headers, IP addresses and login times. Companies should also check their Microsoft 365 admin center for unfamiliar OAuth app permissions and remove them immediately. Enabling sign‑in risk policies can block or flag unusual device‑code authorizations. Training staff to be skeptical of any request that asks them to visit a Microsoft verification URL is also crucial.
Even with these steps, the risk remains if an attacker already has admin credentials or if policies do not specifically watch for device‑code flows. The main lesson is that protecting passwords alone is no longer enough; businesses must also guard the tokens that give access to their cloud services.
