FBI warns of new phishing service stealing Microsoft 365 access tokens
The FBI Internet Crime Complaint Center issued an advisory on Kali365, a phishing-as-a-service platform active since April 2026. Attackers use AI-generated lures sent via Telegram to capture OAuth tokens that grant ongoing access to Outlook, Teams, and OneDrive without passwords or MFA challenges. The service lowers the technical barrier for attackers seeking persistent access to corporate Microsoft 365 accounts. Multiple outlets reported the advisory in late May 2026.
Before this advisory, most users treated a successful phishing attempt as a contained event that ended once they changed their password or re-entered MFA. Token theft removes that reset option and leaves an attacker inside the same apps the reader relies on for email triage, meeting notes, and file access. The change matters because it turns everyday Microsoft 365 use into a standing exposure. One accepted lure now risks weeks or months of silent access to the exact places where tasks, chats, and documents accumulate, directly feeding the scattered-information problem the reader already fights.
Analysis
Treat this as a known compromise scenario rather than a future risk. Schedule a full token revocation and re-authentication pass across Outlook, Teams, and OneDrive this week, then add a quarterly token review to your existing triage routine.
Pulse published by Collab365 Spaces. Cite as "FBI warns of new phishing service stealing Microsoft 365 access tokens", Collab365 Spaces. 2 sources referenced.