FBI warns of phishing scam targeting Outlook, OneDrive, Teams users - The Asheville Citizen Times

NEWS FBI warns of phishing scam targeting Outlook, OneDrive, Teams users Iris Seaton Asheville Citizen Times May 28, 2026, 11:35 a.m. ET A new cyber scam is targeting Microsoft 365, one of the most used productivity platforms, according to a report from the U.S. Federal Bureau of Investigation. Microsoft 365, which is used by many for both personal home office needs and, in many cases, as a required platform for communication and productivity while at work, includes popular applications like Microsoft Word, Outlook, OneDrive and more. In fact, Microsoft 365 powers work and email for hundreds of millions of people and millions of businesses worldwide, including more than a million companies in the U.S. alone. According to the May 21 FBI alert, hackers are taking advantage of MS 365's popularity, who have recently unleashed a phishing attack platform known as "Kali365" used to gain illicit access to MS 365 accounts. Here's what to know about who's being targeted, what the scams look like and more. FBI alert issued for Outlook OneDrive scam The FBI alert, issued May 21, 2026, warned of a scam in which grifters use the following steps: Lure: An attacker sends a phishing email impersonating trusted cloud productivity and document-sharing services. This phishing email contains a device code with instructions to visit a legitimate Microsoft verification page and enter the code. Authorization: The targeted individuals/entities navigate to the real Microsoft page and paste in the device code, unknowingly authorizing the attacker's device to access their account. Token theft: The attacker captures OAuth access and refresh tokens, granting them access to the targeted individuals/entities' Microsoft 365 accounts. Persistence: The attacker can now access Microsoft 365 services such as Outlook, Teams, and OneDrive without needing a password or completing any additional MFA challenges. To protect yourself, the FBI suggests the following measures: Restricting device code flow to limit or block device authentication codes can help prevent or limit this style of attack. Create a conditional access policy to block device code flow for all users, with limited exceptions for required business processes. Audit existing device code flow usage to identify legitimate dependencies before creating a conditional access policy. Block authentication transfer policies to prevent users from transferring authentication from computers to mobile devices. If you cannot completely restrict device code flow usage, exclude emergency access accounts to prevent lockouts. What is Kali365? Kali365 is the emerging Phishing1-as-a-Service2 or "PhaaS" platform warned of in the FBI notice. Kali365, first seen in April 2026 according to FBI information, has primarily been distributed through secure messaging platform Telegram and allows scammers to obtain Microsoft 365 access tokens and bypass multi-factor authentication protocols without intercepting the user's credentials. With a Kali365 platform subscription, cyber threat actors can scam individuals, capturing "OAuth" tokens and gaining access to their targets' Microsoft 365 environments. The FBI notes that Kali365 "lowers the barrier of entry" for scammers, providing "less-technical attackers" with AI-generated phishing lures, automated campaign templates and more. Who is being targeted by Kali365? According to CyberScoop, the Kali365 phishing kit can be used against any Microsoft 365 user, whether you’re logging in from a personal account or at work. So far, security researchers have mostly seen attackers go after organizations, but the same trick works just as easily on home users who get fooled by a convincing email. What to do if you're hit by the Kali365 scam If you think you’ve been hit by the Kali365 phishing attack, you don’t need to wipe your whole computer, but you should move fast to secure your account, warned the FBI in its alert. Change your Microsoft 365 password from a trusted device and sign out of all active sessions in your account settings to kick out anyone using stolen access. Then check for trouble: review recent sign‑ins for strange locations or times, remove unfamiliar devices or sessions, and in Outlook, delete any inbox rules you don’t recognize. You should also make sure multi‑factor authentication is turned on, and if on the job, let workplace IT or the company's security team know if it’s a work account. If you opened attachments or ran a file from the phishing email, you should run a full antivirus scan, then report what happened - including the phishing email and any suspicious logins or devices - to the Internet Crime Complaint Center and keep an eye on your other accounts if you reused that password. Additionally, the FBI requests that anyone affected by the Kali365 Phishing kit file a complaint with the IC3 at ic3.gov, including any available information such as copies of any phishing emails, suspicious logins, including time, IP address and location and any unauthorized devices or active sessions added to the affected account. Damon C. Williams, USA TODAY NETWORK, contributed to this report. Iris Seaton is the trending news reporter for the Asheville Citizen Times, part of the USA TODAY Network. Reach her at iseaton@citizentimes.com. Featured Weekly Ad