FBI warns Microsoft users about a new AI scam that can steal accounts without passwords

A lot of people still feel relatively safe once they activate two factor authentication on their accounts.

The logic seems simple. Even if somebody steals the password, they still need the verification code too. But cybersecurity experts are now warning that things no longer work that neatly.

The FBI has issued a warning about a growing phishing scam targeting Microsoft 365 users that can give attackers access to accounts without victims directly handing over their passwords at all.

And honestly, that is exactly why the scam is making people nervous. Because many victims do not realise they are being hacked while it is happening.

The threat is known as Kali365, a phishing platform that security researchers say is specifically designed to target Microsoft accounts by tricking users into authorising access themselves.

Once that happens, hackers may remain connected to emails, cloud files and company systems for long periods without repeatedly asking for passwords or verification codes again.

According to the FBI, the scam is becoming especially concerning because artificial intelligence is now helping cybercriminals create far more convincing fake emails and phishing campaigns than before.

Messages look cleaner. The wording sounds more natural. And the usual obvious warning signs people once relied on are becoming much harder to spot.

Why this scam feels more dangerous than older phishing emails

Most people already know the classic phishing scenario.

You receive an email pretending to be from a bank or online platform. It asks you to log in urgently. You type your password into a fake page and the scammer steals your credentials.

Kali365 works differently and that difference matters.

Instead of focusing mainly on passwords, the scam targets something most ordinary users have never even heard of before.

Login session tokens. These tokens are what allow people to stay logged into services like Outlook, Teams or OneDrive without constantly entering passwords again throughout the day.

Basically, they quietly keep the session active in the background. Cybercriminals have realised stealing those tokens can sometimes be even more useful than stealing passwords directly.

According to the FBI warning, attackers using Kali365 typically send emails pretending to come from productivity tools or document sharing services linked to Microsoft 365.

Victims are then asked to verify a device code through what appears to be a legitimate Microsoft page. And this is where the trap becomes clever.

Because technically, the page itself may actually belong to Microsoft. That makes the process feel trustworthy. But what users are unknowingly doing is approving access for the attacker’s device instead of their own.

Once the request is accepted, the attacker can potentially access emails, cloud documents and connected Microsoft services while appearing like a legitimate authenticated user. And because the system relies on approved session access rather than repeated password requests, the intrusion may remain unnoticed for much longer.

AI is making phishing scams look far more believable

One reason security agencies are becoming increasingly worried is the role artificial intelligence now plays in modern phishing attacks.

Years ago, scam emails often looked ridiculous: Bad grammar, weird formatting, random capital letters  and messages translated badly into English.

A lot of people could recognise them immediately. That is changing very quickly.

AI tools now allow scammers to generate polished emails that sound natural and professional in multiple languages within seconds.

And that is lowering people’s guard. Because many users still expect phishing attempts to feel obviously suspicious.

Now some fake emails look almost identical to real workplace notifications.

The FBI says platforms like Kali365 also give attackers access to automated phishing templates, campaign management systems and tracking dashboards showing which victims have interacted with messages.

In simple terms, cybercrime is becoming easier to organise and far more scalable. And experts say that means ordinary users are increasingly becoming targets too, not only large corporations.

Microsoft 365 accounts are particularly attractive because they often contain years of emails, financial information, cloud storage, work documents and sensitive conversations all connected inside the same ecosystem.

For cybercriminals, gaining access to one account can sometimes open the door to much more than people initially imagine.

Why ordinary users should stop assuming MFA alone is enough

A lot of people still believe enabling multi factor authentication automatically makes their account secure.

Security specialists say it is still extremely important and absolutely worth using.

But scams like Kali365 show that authentication systems can still be bypassed if users accidentally authorise malicious access themselves. And that is exactly what makes these attacks psychologically effective.

They exploit trust more than technical weaknesses. The email may appear normal. The verification request may appear routine. The user may believe they are protecting the account while actually handing over access. That is why cybersecurity experts keep repeating the same advice.

Slow down before approving unexpected login requests. Check whether you genuinely initiated the action yourself. And if something feels strange, stop before clicking anything further. Because modern phishing scams no longer rely only on stealing passwords.

Increasingly, they rely on convincing people that nothing suspicious is happening at all.

And with AI now helping attackers create more realistic scams than ever before, security experts believe many people will soon discover that online fraud no longer looks the way they expect it to.