FBI Warns of Kali365 Microsoft Phishing Scam Bypassing MFA | #cybercrime | #infosec

You type in the code.

But just seconds later, hackers take over your account, getting past both your password and multi-factor authentication.

The Kali365 Threat: How Legit Sites Are Weaponized

Here’s how the scam works.

The email wasn’t from a trusted service—it was from a hacker. When you visited the real Microsoft page and entered the code, you weren’t confirming your identity. Instead, you were letting the attacker’s device connect to your account. By the time you notice, the hackers have already bypassed MFA and have ongoing access to your emails, files, and company data.

Beyond Passwords: Why Traditional Protections Fail

Since this attack targets Microsoft’s legitimate website, the usual warning signs, like odd links or fake login pages, won’t help. Even strong passwords and security keys can’t protect you if you give away the authorization code. Microsoft says it is working on a solution, but for now, we need to protect ourselves.

Critical Steps to Stay Safe

The FBI offers straightforward advice: If you did not ask for a code, do not enter it.

Today, local businesses, schools, and families all depend on Microsoft 365. If just one account is compromised, it can lead to widespread data theft. Security now means questioning any unexpected requests, not just looking out for fake websites.

If you get a verification code you did not expect, treat it as a possible threat. Do not respond, do not enter the code, and stay calm. Report the message to your IT team or email provider, then delete it right away. Stay alert, Washington.