FBI Warns: New AI-Powered Attack Bypasses Your Microsoft 365 MFA

Kali365 is a new AI-driven phishing tool that steals Microsoft 365 access tokens — bypassing multi-factor authentication entirely. Here's what it means for your business.

NSI Tech

The FBI just issued a warning about something every business owner needs to understand: a new AI-powered attack tool called Kali365 is actively targeting Microsoft 365 accounts — and it bypasses multi-factor authentication.

Not through a malware payload. Not through a fake login page. It steals access tokens directly, making MFA useless.

What Is Kali365?

Kali365 is a phishing-as-a-service tool that automates credential theft at scale. Here’s what makes it different from standard phishing:

  • No malware required — it operates entirely through legitimate Microsoft services
  • MFA bypass — it grabs access tokens, not passwords, so your second factor never gets triggered
  • Targets Outlook, Teams, OneDrive — the tools your team uses every day
  • Automated campaign execution — even low-skill attackers can run it

The attack chain starts with a convincing email lure (recent campaigns used “code of conduct” themes). Click the link, and the attacker walks right into your Microsoft 365 tenant — token in hand.

Why This Is Different

You might be thinking: “We already have MFA enabled.” That’s fair. But here’s the catch — Kali365 doesn’t need your password. It intercepts the access token that gets issued after you authenticate. So your employee’s legitimate login becomes a gateway for attackers.

Over 35,000 users across 13,000 organizations were hit in a recent campaign. Most were in the U.S. Your business could be next.

What You Can Do Right Now

  1. Revisit your token-based security — Modern IT management goes beyond just MFA. Session policies, conditional access rules, and endpoint hardening matter.
  2. Train your team on phishing indicators — Even token-based attacks start with a convincing email.
  3. Audit who has access to what — Limit exposure if a token is stolen.
  4. Get a security review — If you’re not sure whether your Microsoft 365 environment is locked down, now’s the time.

The threat landscape changes fast. AI isn’t just helping your business — it’s helping the attackers too.

Worried about your Microsoft 365 security? Talk to NSI Tech. We’ll assess your current setup and close the gaps before Kali365 finds you.

Need help with any of this? NSI Tech has you covered.

Talk to us