The FBI’s Internet Crime Complaint Center (IC3) issued an advisory on May 21, 2026, warning users of Microsoft Teams, Outlook, and OneDrive about a subscription-based hacking platform called Kali365 – a tool that captures authentication tokens to take over Microsoft 365 accounts without ever stealing a password or triggering a multifactor authentication prompt. Security researchers reported hundreds of confirmed Kali365 attacks in April 2026 alone, the same month the platform was first identified.

For small businesses running their operations on Microsoft 365 – using Teams for internal communication, Outlook for client correspondence, and OneDrive for file storage and sharing – the advisory represents a direct operational threat. Firms with lean IT staff or no dedicated security personnel are particularly exposed: token-theft attacks leave few immediate indicators visible to non-technical users, and by the time unauthorized access is detected, an attacker may have spent weeks inside the organization’s email and file systems.

How the phishing scheme targets Microsoft platform users

Kali365 exploits OAuth device codes – the authentication mechanism Microsoft uses to let applications access account data without requiring a password entry. In a standard device-code flow, a user receives a code and visits a legitimate Microsoft verification page to authorize a new device or application. Kali365 abuses that process: a victim receives a phishing email spoofing a trusted cloud service, often designed to look like a document-sharing notification from a colleague, and is instructed to visit a real Microsoft verification page and enter the provided code.

Because the verification page is genuinely Microsoft’s infrastructure, standard browser security indicators show no warning. The user believes they are completing a routine authorization step. What they are actually doing is granting the attacker’s application a valid OAuth token – a persistent digital credential that authorizes account access without any further login, and that MFA controls do not intercept after the initial authorization is complete.

The FBI noted that Kali365 bundles this capability with AI-generated phishing lures, automated campaign templates, and real-time tracking dashboards, stating that the platform “lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities.” According to Bitdefender, the service is sold through Telegram channels for $250 per month or $2,000 per year – pricing that puts enterprise-grade account-takeover tools within reach of low-skill attackers. This commoditization of token-theft techniques reflects a broader shift in how AI is being used to industrialize fraud against businesses.

Why small businesses relying on Microsoft tools face elevated exposure

OAuth token attacks are structurally harder for small businesses to detect than credential-based intrusions. Most small firms lack the security information and event management (SIEM) tools or dedicated staff to monitor sign-in logs for anomalous device registrations or unfamiliar access patterns – the primary indicators that a token has been compromised. A stolen OAuth token does not generate a failed login alert; it looks, to most monitoring systems, like a legitimate authorized session.

The operational concentration that makes Microsoft 365 efficient for small teams also amplifies the blast radius of a compromise. When a single Outlook inbox serves as both a client communication hub and an internal coordination tool, and OneDrive holds contracts, financial records, and operational documents, a single token capture gives an attacker persistent visibility across the organization’s most sensitive data. The FBI warns that once OAuth tokens are captured, attackers can quietly monitor mailboxes, exfiltrate files, move laterally inside an organization, conduct business email compromise, or stage ransomware operations – often for extended periods before detection. Small businesses that have already encountered government-flagged phishing campaigns targeting workplace tools should treat this advisory as an escalation of a threat category already on their radar.

What the FBI is telling Microsoft users to do

The IC3 advisory directs victims and organizations to report incidents through IC3.gov and instructs them to preserve email headers, suspicious login details including IP address, timestamp, and location, and any records of unknown devices or active sessions linked to their Microsoft 365 accounts. That documentation is critical for federal investigation and for internal forensic recovery.

Beyond incident reporting, the FBI specifically urges organizations – not just individual users – to audit and revoke suspicious OAuth application consents, monitor sign-in activity for unrecognized device-code authorizations, and enforce conditional access policies capable of flagging unusual device-code usage patterns. The advisory makes clear that user awareness alone is insufficient: even security-conscious employees entering a code on a real Microsoft page cannot visually distinguish a legitimate authorization from an attacker-initiated one, because the page itself is authentic.

Steps small businesses can take to reduce exposure

The FBI’s guidance, combined with broader cybersecurity prevention practices for small businesses, points to several concrete actions organizations should prioritize immediately.

Audit active OAuth app consents in the Microsoft 365 admin center and revoke any applications that are unrecognized or no longer in use – this is the single most direct control against existing token-based access. Enable sign-in risk policies through Microsoft Entra ID (formerly Azure Active Directory) to flag or block authentication attempts from unfamiliar devices or locations, and review sign-in logs for device-code grant events that do not correspond to known employee actions. Train staff specifically on device-code phishing: employees should understand that entering a code on a real Microsoft page can still authorize an attacker’s session, and that any unsolicited request to visit a Microsoft verification URL and enter a code should be verified through a separate channel before proceeding. Restrict OAuth app consent so that only administrators – not individual users – can authorize new third-party applications to access organizational Microsoft 365 data.

These controls reduce the attack surface but do not eliminate it entirely. An organization whose admin credentials are themselves compromised, or whose conditional access policies are not configured to flag device-code flows specifically, remains exposed regardless of general MFA enforcement.

The Kali365 advisory is the latest indicator that token and identity security – not just password hygiene – has become the primary contested layer in enterprise and SMB account security. Whether Microsoft’s built-in administrative controls will be configured broadly enough across small business tenants to blunt the scale of PhaaS-driven campaigns, or whether the volume and automation of attacks will outpace organizational response, remains the central unresolved question as the FBI and security researchers anticipate follow-on kits adopting similar token-theft architectures.