Microsoft 365 phishing 2026 has reached a new level of sophistication, and the FBI is formally warning the public. Two distinct but complementary attack methods are now actively targeting Microsoft 365 users at scale. The first is Kali365, a phishing-as-a-service kit that captures OAuth authentication tokens and bypasses multifactor authentication without ever needing a user’s password, available to any cybercriminal for as little as $250 per month. The second is a newly documented Browser-in-the-Browser campaign, identified by Palo Alto Networks Unit 42, that uses fake browser windows to mimic legitimate Microsoft login popups so convincingly that the popup can be dragged around the screen. Together, they represent the most significant combined threat to Microsoft 365 accounts in recent years.
What Is the FBI Warning About Microsoft 365?
The Federal Bureau of Investigation issued a Public Service Announcement through its Internet Crime Complaint Center warning the public about Kali365, a fast-spreading cyberattack kit targeting users of Microsoft 365 products including Outlook, Teams, and OneDrive. The scheme allows cybercriminals to capture Microsoft authentication tokens, bypassing multifactor authentication without needing a user’s password.
The FBI warning was originally issued in May 2026 and has been renewed and amplified in June as the scale of Kali365 deployments has increased. Security researchers reported hundreds of Kali365 attacks in April alone, the month in which the platform was first identified.
With security researchers reporting hundreds of Kali365 attacks in April alone, the threat is already materializing at scale. The FBI’s warning covers not just individuals but businesses and enterprise users of Microsoft 365, which is one of the world’s most widely deployed business software platforms with hundreds of millions of active users.
What Is Kali365 and How Does It Work?
Kali365 is a subscription-based cyberattack platform, first spotted in April 2026, that has been promoted largely through Telegram. The service is available to scammers for as little as $250 per month or $2,000 per year.
Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual and entity tracking dashboards, and OAuth token capture capabilities, according to the FBI.
Unlike traditional phishing attacks that rely on stealing credentials, Kali365 targets OAuth device codes, which are digital keys that allow applications to access data without requiring a password. By capturing these codes, cybercriminals gain access to Microsoft 365 accounts and a wide range of sensitive information without the victim ever entering their credentials on a fake website.
The OAuth Device Code Attack: How You Grant Access Without Knowing
The mechanics of the Kali365 attack are deceptively simple, which is precisely what makes it so dangerous.
The attack follows a deceptively simple sequence. A victim receives a phishing email designed to look like it came from a trusted cloud service. The email contains a device code and instructs the recipient to visit a legitimate Microsoft verification page to enter it.
That is the critical step. The verification page the victim visits is a real Microsoft page, not a fake one. There is no spoofed domain, no misspelled URL, no obvious warning sign. The victim enters a code that appears to come from a legitimate source, on a legitimate Microsoft page, using their real credentials. The moment the code is entered, the attacker captures the OAuth access token, granting them full entry into the victim’s Microsoft 365 account. From there, they can freely navigate Outlook, Teams, and OneDrive without ever needing a password.
What makes the scam particularly convincing is that there is no fake website to spot and no misspelled domain name, making it difficult for a user to distinguish the phishing attempt from a legitimate request.
Why MFA Does Not Protect You From Kali365
The most alarming aspect of the Kali365 attack is that it specifically defeats multifactor authentication, the security measure that millions of individuals and organizations rely on as their primary account protection.
Standard MFA works by requiring a second factor — typically a code sent to a phone, an authenticator app prompt, or a hardware key — in addition to a password. This means that even if an attacker steals a user’s password, they cannot log in without the second factor.
Kali365 bypasses this entirely. Because the attack works at the OAuth token level rather than the password level, the attacker never goes through the login process at all. Once the OAuth token is captured, they have session-level access to the account without triggering any MFA prompt. The user’s MFA setup is completely irrelevant to this attack method.
According to Robert Smith, director of cybersecurity and risk management at Intellisystems: “So really what this new tool is doing is one, it’s making it easier for the bad guys, the criminals, to scale up.” Smith added that a compromised Microsoft 365 account can expose much more than email because many people use the platform for cloud storage, file sharing, and business communications, meaning attackers may gain access to a user’s broader digital identity.
Kali365’s AI Tools: $250 Per Month for Any Scammer
The commoditization of the Kali365 platform is a significant development in the threat landscape beyond the technical attack method itself.
The subscription-based service was first spotted in April 2026, has been promoted largely through Telegram, and is available to scammers for as little as $250 per month or $2,000 a year. Kali365 provides less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual and entity tracking dashboards, and OAuth token capture capabilities.
The AI-generated phishing lures are particularly significant. Traditional phishing campaigns required either technical sophistication or the purchase of pre-made templates. Kali365’s AI lure generation means that a $250-per-month subscriber can produce grammatically correct, contextually appropriate, individually targeted phishing emails at scale, without writing a single line of code or composing a single sentence.
“This phishing scam is getting more sophisticated by the day, with AI-generated lures and automated templates,” one user wrote in response to the FBI’s public warning on social media.
What Is Browser-in-the-Browser Phishing?
While Kali365 works by exploiting OAuth tokens, a separate campaign identified by Palo Alto Networks Unit 42 takes a fundamentally different approach: creating fake browser windows so convincing that victims enter their real Microsoft credentials into what appears to be a legitimate Microsoft login prompt.
A new Browser-in-the-Browser phishing campaign is targeting Microsoft 365 users with fake login popups designed to closely mimic legitimate browser authentication windows, according to Palo Alto Networks Unit 42.
The attack relies on a fake browser window embedded within a webpage. Victims who click a Microsoft sign-in button are presented with what appears to be a standard authentication prompt, complete with a spoofed Microsoft OAuth URL and a login form. The key innovation is that this fake popup behaves exactly like a real browser window: it can be dragged around the screen and includes controls such as back, refresh, minimize, and close buttons.
How the BitB Attack Fools Even Security-Conscious Users
The Browser-in-the-Browser attack is specifically designed to defeat the visual inspection habits that cybersecurity training teaches users to rely on.
What makes the popup particularly convincing is that it behaves like a legitimate browser window. It can be dragged around the screen and includes controls such as back, refresh, minimize, and close buttons, removing some of the visual cues users might normally rely on to spot a fake login page.
Beyond the visual mimicry, the phishing page adapts to the victim’s environment. According to Unit 42 researchers, it identifies the operating system and browser in use and adjusts the appearance of the popup to match Windows, macOS, or Linux, as well as Chrome, Firefox, Edge, or Safari.
Making the fake login page look legitimate is only part of the attack. Unit 42 found that the campaign uses additional techniques intended to make detection and investigation more difficult. These include overriding browser console functions, breaking up visible text strings to bypass simple keyword-based checks, and redirecting suspected bots and automated scanners to a legitimate Microsoft Office help page instead of the phishing content. The credential-harvesting functionality is loaded through a sandboxed iframe, keeping it separate from the visible BitB interface and making the operation more difficult to analyze.
Unit 42’s Findings: OS Detection, Bot Blocking, Sandboxed Iframes
The technical sophistication of the BitB campaign documented by Unit 42 is notable for several reasons beyond the visual mimicry.
The campaign’s OS and browser detection capability means there is no single “screenshot” of what the attack looks like. A Windows Chrome user sees a Windows Chrome login popup. A macOS Safari user sees a macOS Safari popup. Each appearance is generated specifically for the victim’s environment, eliminating one of the most reliable ways security researchers document and share attack signatures.
The bot-blocking mechanism, which redirects automated scanners to a legitimate Microsoft help page, directly interferes with the security research tools that organizations use to test whether their defenses catch new phishing campaigns. If an automated scanning system follows a suspicious link and arrives at a real Microsoft page, it records a false negative — no threat detected — even though the actual attack page would have been served to a real human visitor.
Unit 42 also published a list of domains associated with the campaign on GitHub, providing a blocklist that security teams can import into their web filtering and threat intelligence tools.
Microsoft Has Not Been Hacked: Why That Makes Things Worse
One of the most important clarifications about both Kali365 and the Browser-in-the-Browser attack is that Microsoft’s infrastructure has not been compromised. Cybersecurity experts stress that Microsoft itself has not been hacked. Rather, attackers are exploiting users’ trust and normal authentication workflows.
This distinction matters enormously for how organizations and individuals respond. If Microsoft were hacked, Microsoft would patch the vulnerability and the threat would recede. Because both attack methods exploit normal, functioning Microsoft authentication processes rather than vulnerabilities in Microsoft’s infrastructure, there is no patch coming that will neutralize them. The defense has to happen at the user level, not the platform level.
For Kali365, the defense is behavioral: do not enter codes from emails you did not initiate, verify unexpected requests through trusted contact methods, and treat any unexpected authentication prompt with extreme skepticism.
For the BitB attack, the defense is also behavioral but harder to apply: be suspicious of any login popup that appears within a browser window rather than as a new browser window. Real OAuth authentication typically opens in a genuine new browser window or tab, not a popup that remains visually attached to the originating page.
How to Protect Yourself From Microsoft 365 Phishing 2026
The FBI and cybersecurity professionals say awareness and caution remain some of the most effective defenses against increasingly sophisticated phishing attacks. Both Kali365 and BitB attacks rely on user action to succeed.
For Kali365, the FBI says do not open any links with access codes that you did not request. If you receive an email asking you to enter a device code into a Microsoft verification page, and you did not initiate any such process, do not comply. Verify requests through a trusted phone number or contact before taking any action. Avoid sharing login codes or authentication information without confirming the source.
For Browser-in-the-Browser, verify that any login window that appears is a genuine browser window by trying to move it outside the bounds of your main browser window. A real browser window moves independently. A fake popup embedded within a webpage cannot be moved outside the browser boundaries. If a login popup cannot be moved to a second monitor or past the edges of your browser, treat it as suspicious.
Those who have been affected by the Kali365 phishing kit can file a complaint with the Internet Crime Complaint Center at ic3.gov.
Latest Updates
The FBI’s PSA on Kali365 was originally issued in May 2026 through the IC3 and was reported on by Fast Company and Bitdefender in June 2026. Fast Company confirmed the details of the Kali365 platform including its $250/month Telegram promotion, AI-generated phishing lures, OAuth device code capture method, and the hundreds of attacks documented in April 2026 alone. Help Net Security confirmed Palo Alto Networks Unit 42’s findings on the Browser-in-the-Browser phishing campaign, including OS and browser detection, console function overriding, bot redirection to Microsoft help pages, and the sandboxed iframe architecture. WFXG confirmed cybersecurity expert Robert Smith’s assessment that Kali365 lowers the barrier for cybercriminals to scale attacks and that a compromised Microsoft 365 account exposes a victim’s entire digital identity.
Full sources: Fast Company | Help Net Security | WFXG
Broader Implications
The convergence of Kali365 and Browser-in-the-Browser attacks against Microsoft 365 in 2026 illustrates a pattern that has been building for years: the commoditization of sophisticated cyberattacks. A decade ago, token capture attacks and adaptive phishing popups required significant technical expertise. Today, Kali365 sells those capabilities for $250 per month to anyone with a Telegram account.
The implications for enterprise security teams are significant. Organizations that rely on MFA as their primary account protection now face an attack that renders MFA irrelevant. Organizations that rely on user training to spot fake login pages now face attacks that are visually indistinguishable from legitimate authentication. Both responses, MFA and user training, remain valuable and important, but neither is sufficient against the current threat landscape.
The FBI’s IC3 PSA and Unit 42’s GitHub blocklist represent the primary institutional responses currently available. For the vast majority of Microsoft 365 users, individual behavioral caution is the most actionable defense. Not acting on unexpected authentication prompts, verifying requests through trusted channels, and being skeptical of any login popup that cannot be verified as a genuine browser window are practical steps that do not require technical expertise to apply.
For more cybersecurity, phishing warnings, and digital security coverage, visit The Tech Marketer.
Frequently Asked Questions
1. What is the FBI warning about Microsoft 365 phishing 2026?
The FBI issued a Public Service Announcement warning about Kali365, a phishing-as-a-service platform that captures Microsoft OAuth authentication tokens, bypassing multifactor authentication without needing a user’s password. The subscription-based service costs as little as $250 per month, was first identified in April 2026, and has produced hundreds of attacks documented by security researchers. The FBI warns users of Outlook, Teams, and OneDrive specifically.
2. What is Kali365 and how does it bypass MFA?
Kali365 is a hacking platform that sends victims phishing emails containing device codes and instructs them to enter those codes on a legitimate Microsoft verification page. When the victim enters the code, the attacker captures an OAuth access token, granting full access to the Microsoft 365 account. Because the attack works at the token level rather than the password level, it bypasses MFA entirely — no second-factor prompt is triggered.
3. What is Browser-in-the-Browser phishing and how does it work?
Browser-in-the-Browser phishing, documented by Palo Alto Networks Unit 42, creates a fake login popup window that mimics a legitimate Microsoft authentication prompt, complete with a spoofed OAuth URL, draggable window controls, and browser-specific styling for Windows, macOS, Chrome, Firefox, Edge, and Safari. Victims enter their real Microsoft credentials into the convincing fake popup without realizing the window is not a real browser window.
4. Has Microsoft been hacked?
No. Both Kali365 and the Browser-in-the-Browser campaign exploit normal Microsoft authentication workflows rather than vulnerabilities in Microsoft’s infrastructure. Microsoft itself has not been hacked. The attacks exploit user behavior and trust, not technical weaknesses in Microsoft’s systems.
5. How can I protect my Microsoft 365 account from these phishing attacks?
For Kali365: do not enter device codes from emails you did not initiate, and verify unexpected authentication requests through a trusted phone number or separate communication channel. For Browser-in-the-Browser: test any login popup by trying to move it outside the boundaries of your browser window. A fake popup embedded within a webpage cannot be moved past the browser edges, while a genuine browser window can. Report suspected Kali365 attacks to the FBI’s Internet Crime Complaint Center at ic3.gov.
Sources and References
- Fast Company: The FBI Just Issued an Urgent Warning for Anyone Using Microsoft Teams, Outlook, or OneDrive Over a New Phishing Scheme
- Help Net Security: New Browser-in-the-Browser Phishing Uses Fake Login Popups to Steal Microsoft 365 Credentials
- WFXG: FBI Warns of New Microsoft 365 Scam That Exploits User Trust
