Top news website in Nigeria 24/25 Top News Website in Nigeria 24/25

Global site navigation

Local editions

Hackers Found New Way to Penetrate Microsoft Accounts Without Passwords, FBI Warns
Nigeria

Hackers Found New Way to Penetrate Microsoft Accounts Without Passwords, FBI Warns

by  Ibrahim Sofiyullaha
3 min read
  • The FBI warned that a new phishing platform called Kali365 had targeted Microsoft 365 users by exploiting the company's legitimate device code sign in process
  • Cybercriminals were able to gain access to Outlook, Teams and OneDrive accounts without stealing passwords by capturing OAuth access tokens
  • Users were advised to avoid entering device codes received through unexpected emails and to review account activity for suspicious logins

Find it fast with our new search feature at Legit.ng!

A new cyber threat targeting Microsoft 365 users has prompted a warning from the United States Federal Bureau of Investigation (FBI), with criminals now using a sophisticated phishing technique capable of bypassing passwords and even multifactor authentication.

The campaign centres on a phishing service known as Kali365, which gives cybercriminals ready-made tools to compromise Microsoft accounts linked to Outlook, Teams and OneDrive. Security experts say the attack does not rely on stealing passwords.

The FBI warned Microsoft users about a phishing scam
The FBI warned Microsoft users about a sophisticated phishing campaign targeting Microsoft 365 accounts. Photo: Getty
Source: Getty Images

Instead, it tricks victims into approving access through Microsoft's legitimate device code sign in process.

Read also

The hidden reasons internet data finishes faster than before as Nigerian subscribers complain

How does Kali365 phishing attack work?

According to the FBI as reported by Fox News, Kali365 first appeared in April 2026 and has largely been distributed through Telegram. The platform provides attackers with artificial intelligence-generated phishing messages, campaign templates and tools that capture OAuth tokens, allowing criminals to gain access to user accounts.

From breaking news to viral moments. Follow Legit.ng on Instagram.

The attack begins with a phishing email disguised as a message from a trusted productivity or file-sharing service. Victims are instructed to enter a device code on an authentic Microsoft verification page. Although the website is genuine, entering the code unknowingly grants access to the attacker's device.

Once approved, criminals can obtain access and refresh tokens that allow them to use Microsoft services without requesting the victim's password or another multifactor authentication prompt.

Why should Microsoft users be concerned?

Cybersecurity experts warned that the technique poses a serious risk because it abuses a trusted Microsoft feature rather than exploiting a fake website. Password managers may not detect anything suspicious because users are directed to an authentic Microsoft page.

Read also

How free POS devices and airtime credit technology are helping young Nigerians create their own jobs

The FBI warned Microsoft users about a phishing scam
FBI warns Microsoft users as new phishing scam bypasses password protection. Photo: Getty
Source: Getty Images

Small businesses could be particularly vulnerable. A compromised Microsoft 365 account may expose emails, invoices, customer information, shared documents and internal conversations. Criminals could also impersonate legitimate employees to deceive colleagues, suppliers or clients.

Microsoft said users should follow the FBI's recommendations and the company's own security guidance to defend against Kali365 and similar attacks.

The technology company added that it continues to disrupt criminal networks linked to phishing as a service and account takeover campaigns.

How can users protect their accounts?

The FBI advised users to enter a Microsoft device code only when they personally initiated the sign in process. It also recommended avoiding links contained in unexpected emails or messages and instead accessing Microsoft services directly through an official website.

Users are encouraged to review recent account activity, revoke suspicious sessions and report any suspected compromise immediately.

Organisations were also urged to restrict device code sign in where it is not required and provide staff with training on recognising this emerging phishing method.

Read also

WhatsApp ends secret online status with new green dot feature for Android users

Security experts said exercising caution before approving unexpected login requests remains one of the most effective ways to prevent unauthorised access to Microsoft accounts.

Yahoo Boys: American woman shares experience

Earlier, Legit.ng reported that an American woman recounted how two 'Yahoo Boys' duped her of significant sums in romance scams, despite her ongoing admiration for Nigerian men.

In a viral video, she detailed her encounters, revealing how the scammers manipulated her emotions and finances.

She displayed the young Nigerian's picture and the one he used for his unsuspecting victims.

Source: Legit.ng

Authors:
Ibrahim Sofiyullaha avatar

Ibrahim Sofiyullaha (Editorial Assistant) Ibrahim Sofiyullaha is a graduate of First Technical University, Ibadan. He was the founder and pioneer Editor-in-Chief of a fast-rising campus journalism outfit at his university. Ibrahim is a coauthor of the book Julie, or Sylvia, written in collaboration with two prominent Western authors. He was ranked as the 9th best young writer in Africa by the International Sports Press Association. Ibrahim has contributed insightful articles for major platforms, including Sportskeeda in the UK and Motherly in the United States. Email: ibrahim.sofiyullaha@corp.legit.ng

Hot:
Nina dramas Utme Oshoala Petrol prices Dino guilmette