Skip to content
Back to Blog

FBI Warns Microsoft 365 Users of Highly Sophisticated ‘Khali365’ Phishing Scam: What It Is and How It Works

By Jobvisitors June 18, 2026 4 min read
FBI Warns Microsoft 365 users of the Kali365 phishing scam through an official alert.

By the JobVisitors News Desk

As the FBI warns Microsoft 365 users of a highly sophisticated threat, a critical security advisory has been issued regarding a new, evasive phishing campaign. Dubbed the “Kali365” scam, this attack is designed to bypass standard security protocols…

Here is a complete breakdown of what the Kali365 threat is, how the cybercriminals are executing it, and the immediate steps you must take to protect your professional data.

Why the FBI Warns Microsoft 365 Users About Kali365

Kali365 is a targeted cyberattack that utilizes an Adversary-in-the-Middle (AiTM) phishing framework. Unlike traditional phishing—which relies on poorly spelled emails and clunky fake websites—Kali365 operates by creating an invisible proxy between the user and the legitimate Microsoft 365 login server.

When a user attempts to log into what they believe is their corporate or personal M365 account, the Kali365 infrastructure intercepts the connection. The primary goal of this scam is not just to steal passwords, but to harvest the session cookies generated after a user successfully completes their Multi-Factor Authentication (MFA) prompt.

By stealing these authentication tokens, hackers can clone the user’s active session, gaining full, unrestricted access to Outlook, Teams, SharePoint, and OneDrive without ever needing to trigger another MFA request.

How the Kali365 Attack Works

The FBI report outlines a highly orchestrated, multi-step process used by the threat actors behind Kali365:

  • The Initial Hook: The attack typically begins with a highly convincing, spoofed email. For professionals, this often takes the form of an urgent HR document, a fake invoice, or a “secure message” from a trusted vendor. For job seekers, it may masquerade as an urgent interview schedule or offer letter requiring immediate review via Microsoft SharePoint.
  • The Proxy Redirection: Clicking the link does not download malware directly. Instead, it redirects the victim to a flawless replica of the Microsoft 365 login page. This page is actively relaying data to the real Microsoft server in real-time.
  • The MFA Bypass: The user enters their credentials and receives their standard MFA prompt (such as a text code or an authenticator app notification). The user approves it, believing it is a standard login.
  • Session Hijacking: The real Microsoft server grants access and sends back a session cookie to keep the user logged in. The Kali365 proxy intercepts this cookie, saves a copy for the hacker, and then forwards the user to a generic document or error page.
  • The Compromise: Armed with the stolen session cookie, the attacker imports it into their own browser. Microsoft’s servers recognize the valid cookie and grant the hacker full access to the victim’s account, completely bypassing the need for a password or MFA.

What Hackers Do Once Inside

Once a Microsoft 365 account is compromised via the Kali365 method, attackers move quickly to exploit the access:

  • Business Email Compromise (BEC): Hackers intercept ongoing email threads regarding wire transfers, payroll, or vendor payments, quietly altering banking details to siphon funds.
  • Data Exfiltration: Threat actors download sensitive corporate data, client lists, or personal resumes from OneDrive and SharePoint.
  • Internal Phishing: Using the compromised, legitimate email address, attackers send internal phishing links to colleagues or external clients, bypassing standard spam filters because the email comes from a trusted, authenticated source.

How to Protect Your Microsoft 365 Account

The FBI urges all individuals and IT administrators to implement stringent countermeasures immediately, as traditional SMS-based MFA is no longer sufficient to stop AiTM attacks like Kali365.

1. Upgrade to FIDO2 Security Keys

The most effective defense against AiTM phishing is migrating away from SMS codes or push notifications. FIDO2-compliant hardware security keys (like YubiKeys) physically verify the authenticity of the website you are logging into, meaning even if you are on a Kali365 proxy site, the authentication will fail, protecting your account.

2. Implement Conditional Access Policies

For corporate networks, IT administrators should configure Microsoft Entra ID (formerly Azure AD) to enforce “Conditional Access.” This ensures that logins are only accepted from known, compliant devices or specific, trusted IP ranges.

3. Verify the URL String

Never trust the display name of a website. Before entering Microsoft credentials, manually verify that the URL in your browser is exactly login.microsoftonline.com. Kali365 domains often utilize slight typos or unrelated domain extensions (e.g., login.micro-soft-secure.net).

4. Beware of “Urgent” Prompts

Cybercriminals rely on manufactured urgency to force mistakes. If an email demands you log in immediately to view a document, keep your account active, or secure a job offer, independently verify the request by contacting the sender through a separate, trusted channel.

To be more informed abou the news read Hacker news today.
Must try for fresh students and experienced professionals, Join Magician AI today!

Written by

Jobvisitors

Writer at JobVisitors.

Related Articles

View all →
All

Is Your Technology Career Secure? High-Risk Positions vs. Top Careers in High Demand This Year

May 31, 2026
Is General Coding Dead infographic comparing traditional coding vs the 2026 AI skill-stack including Python, LangChain, RAG pipelines, and Vector Databases.
All

Stop Depending on General Coding: The Essential AI Skill-Stacking Guide for 2026

Jun 1, 2026
Illustration showing how to build custom AI agents to automate startup workflows and career tasks
All

The Ultimate Cheat Code to AI Agent Automation in 2026

May 27, 2026