%20(1).webp)
.webp){kind=small}
.webp)
Microsoft 365 has become the center of daily business communication. Employees rely on Outlook for email, Teams for collaboration, and OneDrive for file sharing. That also makes Microsoft 365 one of the most attractive targets for cybercriminals.
The FBI recently issued a warning about a phishing-as-a-service platform known as Kali365, which targets Microsoft 365 users by capturing OAuth access tokens instead of stealing passwords. According to the FBI, attackers can use this method to bypass multi-factor authentication and gain access to services like Outlook, Teams, and OneDrive without needing the user’s password.
The Inc. article you linked highlights why this threat is especially concerning for business owners: the scam does not rely on a fake Microsoft login page or a misspelled domain. Instead, users are tricked into entering a code on a legitimate Microsoft verification page, which makes the attack much harder to recognize
Traditional phishing usually tries to steal a username and password. This newer attack works differently.
A user receives what looks like a normal cloud, document-sharing, or Microsoft-related message. The message includes a device code and tells the user to visit a Microsoft verification page. Because the page is legitimate, the user may feel safe entering the code.
But the code was generated by the attacker.
Once the user enters it, they are not logging into their own device. They are unknowingly authorizing the attacker’s device or session. That gives the attacker access to the user’s Microsoft 365 environment through OAuth tokens, which can allow access to Outlook, Teams, OneDrive, and related cloud data. The FBI describes this as a way for attackers to gain persistent Microsoft 365 access without needing a password or additional MFA challenges.
This type of attack is dangerous because many businesses assume MFA alone is enough to stop account takeover. MFA is still essential, but this scam abuses a legitimate authorization process after the user has already completed the request.
Once attackers gain access, they may be able to read email, monitor conversations, search OneDrive files, impersonate employees, send internal phishing messages, or use Teams to make the scam look more believable.
Security researchers have also observed attackers creating malicious inbox rules after compromise. These rules can automatically move or hide security alerts, phishing warnings, or suspicious messages so the victim does not realize the account has been taken over.
For a business, that can quickly lead to wire fraud, data exposure, vendor impersonation, payroll scams, customer data loss, and regulatory exposure.
Outlook and Teams are valuable because they contain both communication and trust.
If an attacker controls a mailbox, they can read active conversations, study vendor relationships, reset passwords for other services, and send convincing emails from a real employee account.
If an attacker abuses Teams, they can make malicious links or files appear to come from a trusted coworker, vendor, or business partner. Teams-based phishing is especially dangerous because employees may treat chat messages as more immediate and more trustworthy than email.
This is why Microsoft 365 security needs to go beyond basic email filtering. Identity controls, conditional access, session monitoring, and user training all need to work together.
