We research all brands listed and may earn a fee from our partners. Research and financial considerations may influence how brands are displayed. Not all brands are included. Learn more.

  1. Identity Theft
  2. Identity Theft Protection

Weekly Scam Alert: The FBI Is Warning Microsoft Users About a Sneaky New Phishing Attack

By:
Gabriel O. Rodriguez Cruz
9 min read
- Rangy García for Money
Rangy García for Money

The FBI is warning Microsoft 365 users about a phishing-as-a-service toolkit that lets hackers hijack email accounts, cloud storage and more.

Called Kali 365, the tool first surfaced in April and is primarily distributed through the Telegram messaging app. For a subscription fee, even low-skill hackers get access to the tool's AI-generated phishing lures, automated campaign templates and real-time tracking dashboards.

The kit's most dangerous feature is its ability to capture OAuth tokens, the digital keys that keep you logged into Microsoft services like Outlook, Teams and OneDrive. Once an attacker has these, they can access your account indefinitely without ever knowing your password or triggering a multi-factor authentication prompt.

Attacks with Kali 365 often start with a phishing email impersonating a trusted cloud productivity or document-sharing service. The email contains a device code with instructions to visit what appears to be a legitimate Microsoft verification page and enter the code.

That step is the trap. By completing it, the user unknowingly authorizes the attacker's device to access their account. The attacker then captures the authorization tokens that grant persistent access to their target's Microsoft 365 environment.

By packaging these capabilities into a subscription service, Kali 365 lowers the barrier to entry for cybercrime — putting sophisticated account-takeover tools in the hands of people who otherwise wouldn't have the technical skills to use them. The FBI noted that the platform gives less-skilled actors access to capabilities that were previously harder to obtain and deploy.

The agency advises Microsoft 365 users to avoid using or disable the type of sign-in that asks people to enter a one-time code on another device and to make sure they have access to a backup account that can help them regain access to the primary account if the change accidentally locks them out. Users who believe they have been targeted should report the incident to the Internet Crime Complaint Center at ic3.gov.

Where People Are Protecting Their Privacy Online Right Now

Other current scams to watch out for

RSVP phishing trap

The FTC issued a consumer alert last week about a phishing campaign using fake party invitations to steal Google and Microsoft login credentials. Security research firm ANY.RUN tracked the campaign to at least December 2025 and identified roughly 80 phishing domains and 160 suspicious links, all built to spoof the "Sign in with Google" and "Sign in with Microsoft" interfaces consumers recognize from everyday websites. The fake invitations impersonate platforms like Evite, Paperless Post and Punchbowl — and sometimes appear to come from people the victim actually knows.

Because a stolen Google or Microsoft password unlocks every account linked to that login, a single successful attack can compromise far more than just an inbox. The FTC recommends keeping your security software updated, using two-factor authentication and acting quickly to change passwords if you think your credentials were compromised.

Fake vendor scams

A town in Maine paid out nearly $190,000 to a fake vendor before realizing it had been scammed in what is being considered a cybersecurity fraud incident. Harpswell’s officials say it received fraudulent payment instructions that appeared to come from a legitimate vendor, diverting municipal funds away from the intended recipient. The Board reported it to local and federal authorities, notified its insurance carrier, legal counsel and auditing firm, and is reviewing its internal payment authorization and verification protocols.

This kind of scam is often treated as a business email compromise, which the FBI describes as a scheme that targets businesses and individuals who regularly transfer funds. It’s not a niche problem: the International Crime Complaint Center logged 24,768 business email compromise complaints in 2025, with reported losses of about $3.05 billion. The safest move is to verify any new vendor, invoice or payment-change request through a separate channel before sending money — especially if the request involves a wire transfer or updated bank details.

Where People Are Protecting Their Privacy Online Right Now

Protect your digital life: See Lifelock's current identity theft plans and get your first year of the standard plan for just $7.99 a month

The most common types of scam you should know

Scammers are constantly upping their game, coming up with new and exciting ways (for them) of fooling their targets. AI-powered scams are one example of this; the technology is being used to reach a larger number of people with increasingly more convincing schemes

But some tricks never run out of style. Most scams fall into a handful of familiar patterns, and many long-standing schemes are still a threat today. They’ve just evolved to better fit today’s digital landscape

  1. Imposter scams: Scammers often pose as trusted figures such as government agencies, banks, employers and even friends or family to pressure victims into sending money or sharing personal information
  2. Phishing and spoofing scams:
 These scams use emails, texts or phone calls that look like they’re from legitimate organizations. The goal is to trick you into clicking a malicious link, downloading malware or handing over sensitive information
  3. Online shopping scams: Fraudsters can create fake online stores or listings with hard-to-find items at unusually low prices. After you pay for an article, what you end up getting might be counterfeit — or it may never arrive in the first place
  4. Investment scams: This type of scam often arrives with promises of high returns from crypto, forex or other “exclusive” opportunities. Many involve long-term grooming tactics in which victims are encouraged to invest more over time before losing everything
  5. Romance scams: Some scammers try to get into your pocket through the heart. They build a relationship with you on dating apps or social media, then convince you to give up money and assets by fabricating emergencies or investment opportunities

Plans for everyone: Check out Aura's identity theft options for you and your family, starting at $9 a month when you pay annually

What to do if you’re the target — or victim — of a scam

No one is immune to scams or fraud, but a few consistent habits can reduce their danger and the damage they cause

For starters, be skeptical of unsolicited messages, especially those creating fear or urgency. This might look like an email from your bank threatening to close an account, a text from an online marketplace saying you’ll lose a discount or a call from the IRS claiming they’ll report you to the authorities unless you “act now.”

Scammers love to use this sort of language because it puts you on the spot, which they expect will move you to action

Always verify any requests from an organization by cross-checking with its official phone numbers, email or website. And don’t click any links, download attachments or respond to messages you suspect may be fraudulent. A legitimate organization will not pressure you for instant action or secrecy

Now, if you’ve already sent financial information or money to someone you suspect is a scammer, you’ll need to take a few steps to protect your data and possibly get your money reimbursed. Contact your bank, credit card issuer or payment platform immediately and attempt to stop or reverse the transactions. Make sure to change any relevant passwords and enable multi-factor authentication to safeguard your accounts, too.

Reporting a scam might also help protect others. You can file a report with the Federal Trade Commission and with local authorities at your nearby police department or sheriff’s office. Identity theft victims should also consider temporarily freezing their credit

Lastly, review your financial statements and credit reports regularly, keep your software updated and limit how much personal information you share online. Scammers often rely on publicly available details to make their schemes more convincing

More from Money

How to Protect Yourself From Card Skimmers at ATMs and Gas Pumps

Best Identity Theft Protection Services

Best Credit Monitoring Services