FBI warns Microsoft Users about a New AI Scam that can Steal Accounts without Passwords

Activating two factor authentication can make people feel more secure.

The logic appears simple. If someone steals your password, you still need to provide the verification code. Security experts now warn that things don’t work as neatly.

The FBI issued a warning regarding a growing phishing attack targeting Microsoft 365 accounts that allows attackers to gain access without victims having to directly give out their passwords.

This is why scams make people nervous. The majority of victims don’t even realise that their accounts are being compromised.

Security researchers have identified the threat as Kali365. It is a phishing tool that is designed specifically to target Microsoft accounts, by tricking their users into authorising themselves.

Hackers may then continue to access emails, cloud-based files, and company systems without asking for passwords again.

The FBI warns that the scam has become more dangerous because artificial intelligence now helps cybercriminals to create fake emails and phishing campaign far more convincing than before.

Messages look cleaner. The language sounds more natural. The usual warning signs are harder to see.

This scam is more dangerous than previous phishing emails

The classic phishing scam is well-known to most people.

It appears to be an email from a bank, or a platform online. You are asked to log in immediately. Scammers steal your credentials by having you enter your password in a fake web page.

Kali365 is different and this difference is important.

The scam is not primarily focused on passwords. Instead, it targets a new type of attack that most users are unaware of.

Login session tokens. These tokens enable people to remain logged in to services like Outlook Teams and OneDrive all day long without needing to enter their passwords repeatedly.

In essence, they keep the session inactive quietly. Cybercriminals now know that stealing these tokens is often more beneficial than stealing the passwords themselves.

According to an FBI warning, Kali365 attackers send emails that appear to be from Microsoft 365 or productivity tools.

The victim is then asked to confirm a device code via what appears to be an official Microsoft page. This is when the trick becomes clever.

Microsoft may technically own the page. This makes the process seem more trustworthy. What users unknowingly do is approve access for an attacker’s computer instead of their own.

After the request has been accepted, an attacker could potentially gain access to emails, cloud files, and Microsoft services connected while appearing as a genuine authenticated user. The intrusion can be hidden for a long time because the system relies upon session access, rather than repeated requests for passwords.

AI makes phishing schemes look more convincing

Artificial intelligence is one of the reasons security agencies are increasingly concerned about modern phishing.

Years ago, scam emails often looked ridiculous: Bad grammar, weird formatting, random capital letters  and messages translated badly into English.

They were instantly recognisable by many people. This is changing rapidly.

AI tools allow scammers now to create polished emails in multiple languages that sound natural and professionally written within seconds.

It is also a sign that people are letting their guard down. Many users still expect phishing to be obvious and suspicious.

Some fake emails now look nearly identical to real notifications from the workplace.

According to the FBI, platforms such as Kali365 give attackers access not only to automated phishing messages but also campaign management systems, tracking dashboards and automated phishing template.

Simply put, cybercrime becomes easier to plan and scale. Experts say this means that ordinary users, and not just large corporations, are becoming more targets.

Microsoft 365 accounts can be very attractive, as they contain years’ worth of emails, financial data, cloud storage, documents, and confidential conversations, all linked together in the same ecosystem.

Cybercriminals can gain access to a single account and do much more.

Why MFA alone won’t suffice for most users

Many people believe that enabling multi-factor authentication will automatically make their account secure.

Security experts still say it’s important and definitely worth using.

Scams such as Kali365 Demonstrate that authentication can be bypassed even if the users themselves accidentally authorize malicious access. This is what makes these attacks so psychologically powerful.

Trust is more important than technical weakness. Emails may seem normal. The request for verification may seem routine. The user might think that they are protecting the account when in fact, they are giving access. This is why cyber experts repeat the same advice.

Please take your time before you approve any unexpected login requests. Verify that you initiated the request. Stop before you click anything if it feels odd. Modern phishing scams do not rely solely on password theft.

They rely more and more on convincing the public that there is nothing suspicious going on.

Experts in security believe that with AI helping to create more realistic scams, many people are soon going to discover online fraud does not look like they expect.