The FBI Just Warned About a Scam That Breaks Into Your Email Without Your Password

Your browser gets you to a page. Norton Neo gets you to the answer. The first safe AI-native browser built by Norton moves with you from idea to action without slowing you down. Magic Box understands your intent before you finish typing. AI that works inside your flow, not beside it. No prompting. No copy-pasting. No switching apps.

Built-in AI, instantly and for free. Privacy handled by Norton. Built-in VPN and ad blocking protect you by default. No configuration. No extra apps. Nothing to think about.

Fast. Safe. Intelligent. That's Neo.

Download Norton Neo

This one is a public service announcement more than a tech story, and it is worth two minutes of your time. The FBI just issued a formal warning about a new scam tool that can break into your Microsoft account, your Outlook email, your Teams messages, and your OneDrive files, without ever stealing your password and without being stopped by two-factor authentication. It is spreading fast, it is cheap for criminals to use, and it works on regular people, not just big companies. Here is exactly how it works and exactly how to protect yourself.

On May 21, the FBI issued a Public Safety Announcement about a new phishing tool. The announcement warned that cyberattackers could bypass multi-factor authentication and get a user's credentials, accessing their Outlook, Teams, and OneDrive through a phishing message. The phishing platform, called Kali365, was first spotted in April and was primarily distributed on Telegram. The program is a "subscription service for scammers," according to cybersecurity software company Bitdefender. CBS News

The phrase "subscription service for scammers" is the genuinely alarming part. The attacks are less sophisticated, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual tracking dashboards, and OAuth token capture capabilities. In plain English, criminals no longer need to be skilled hackers to pull this off. They pay a subscription fee, the tool generates convincing fake emails using AI, and it handles the technical work of stealing access automatically. That dramatically increases the number of people who can run these attacks and the number of victims who will get hit. Unsplash

Kali365 can hijack Microsoft 365 accounts without ever stealing a password, and it has no difficulty waltzing past multi-factor authentication while it is at it. That is the detail that makes this different from ordinary phishing. The protections most people rely on, a strong password and a two-factor code, do not stop this attack. Unsplash

The Hill's coverage of the FBI warning: https://thehill.com/policy/technology/5897640-cyber-attackers-are-hijacking-microsoft-outlook-teams-and-365-log-ins-fbi-says/

Bitdefender's technical breakdown of Kali365: https://www.bitdefender.com/en-us/blog/hotforsecurity/fbi-kali365-phishing-kit-breaks-microsoft-365-accounts-no-password-required

This is the part everyone should understand, because the trick is clever and it does not look like a typical scam. The scam starts with a lure, typically a phishing email impersonating a trusted source like a document sharing service. This phishing email contains a device code with instructions to visit a legitimate Microsoft verification page and enter the code. Once you navigate to the real Microsoft page and paste in the code, you would be unwittingly authorizing the attacker to access your account. Unsplash

Read that again, because it is the heart of why this works. The email does not send you to a fake website. It sends you to the real Microsoft login page. That is what makes it so convincing. You check the URL, you see it is genuinely microsoft.com, and you let your guard down. But the device code you were told to enter is the trap. From there, attackers can capture authorization tokens that grant them access to your Microsoft 365 software, including Outlook email, Teams messages, and OneDrive files. They will not need to know your password or use multi-factor authentication to access your account. Unsplash

The reason this defeats two-factor authentication is subtle but important. A device code is input unknowingly by the user and gives the hackers access and refresh tokens to get into accounts. Once the attacker has those tokens, they have ongoing access. The tokens act like a permanent backstage pass. Changing your password later does not necessarily kick them out, because the tokens stay valid. That is why this attack is so dangerous and so hard to recover from. CBS News

The short version: the scam tricks you into voluntarily handing over a code on a real Microsoft page, and that code gives the attacker a key to your account that bypasses your password and your two-factor protection entirely.

GovTech's explanation of the scam mechanics: https://www.govtech.com/security/fbi-issues-scam-warning-for-users-of-microsoft-outlook-teams

The FBI and Microsoft put out a specific list of warning signs. If you see any of these in an email or message, slow down and treat it as suspicious. Red flags include but are not limited to getting: unexpected invoices, urgency in the message, talk of large sums of money, fake security alerts, fake messages from IT, and "You've won a prize!" CBS News

The single most important behavioral red flag is any message that asks you to enter a code somewhere. A legitimate service will never send you an email instructing you to enter a device code that they provide. If a message gives you a code and tells you to type it into a Microsoft page, that is the attack. Stop immediately.

The other classic sign is urgency. Scammers create pressure because pressure makes people skip the careful checks they would normally do. An email that says your account will be locked in one hour, or that an invoice is overdue and must be paid now, or that suspicious activity requires immediate verification, is using urgency to push you into acting without thinking. Real companies rarely demand instant action through email.

Here are the concrete steps the FBI and Microsoft recommend, plus a few practical additions.

First, never enter a device code that arrived in an email or message. This is the single most important rule for this specific scam. If you did not personally start a login that is asking for a device code, do not enter one. Codes you generate yourself when logging in are fine. Codes someone sends you are a trap.

Second, verify the sender carefully. Make sure there are no typos in the email address sending messages. Scammers use slight differences to trick your eye and gain your trust. Carefully examine the email address, URL, and spelling used in any correspondence. An email from "micros0ft.com" or "microsoft-security.net" is not Microsoft. CBS NewsUnsplash

Third, do not click links in unsolicited messages. Don't click on anything in an unsolicited email or text message. Look up the company's phone number on your own and call the company to ask if the request is legitimate. Never open an email attachment from someone you don't know. If you get a message about your account, do not use the link in the message. Go directly to the official website by typing the address yourself. Unsplash

Fourth, if you manage accounts for an organization, use stricter controls. The FBI recommended organizations use Conditional Access policies to help deter the cyber criminals. The FBI also recommends limiting device authentication codes. If you run IT for a business, school, or nonprofit, these settings can block the device code flow that this attack depends on. UnsplashCNN

Fifth, if you think you have been hit, report it. The FBI recommends reporting suspicious activity to IC3.gov. If you think you've been a victim of a Kali365 phishing attack, file a complaint with IC3 and be sure to include any unauthorized devices or active sessions added to the account. You should also immediately sign out of all sessions in your Microsoft account security settings, which revokes the stolen tokens, and then change your password. CNNUnsplash

This is not just a corporate IT problem. Microsoft 365 is used by hundreds of millions of regular people for personal email, family photos in OneDrive, and everyday communication. The Kali365 tool lowers the skill required to attack those accounts, which means the volume of these attacks is about to increase significantly. The people most at risk are not necessarily the most careless. They are the busy, distracted, and trusting, who see a real Microsoft page and assume they are safe.

The broader lesson is one worth internalizing for the entire AI era of scams. Attackers are increasingly using AI to make their lures more convincing, more personalized, and more numerous. The old advice to "watch for bad spelling and obvious fakes" is becoming outdated, because AI-generated phishing emails are well-written and professional. The new defense is behavioral, not visual. Do not judge whether a message looks legitimate. Judge whether the action it is asking you to take makes sense. A message asking you to enter a code, click an urgent link, or verify your account out of the blue is suspicious no matter how polished it looks.

Take two minutes today to be a little more careful with your email, and share this with the people in your life who are most likely to fall for a convincing message. The simplest protection against this entire category of attack is knowing it exists. Now you do.

Stay safe out there. We will keep bringing you the security alerts that actually matter.

Every tab you open, every copy-paste into ChatGPT, every lost train of thought — that's your browser failing you. Norton Neo fixes it. Built-in AI works directly inside your session. Hover to preview. Search everything from one bar. VPN and ad blocking included, free.

Try Norton Neo Free