At the center of the scheme sits a hacking platform called Kali365. Unlike traditional phishing attacks that rely on stealing credentials, Kali365 targets OAuth device codes-digital keys that allow applications to access data without requiring a password. This approach gives cybercriminals access to Microsoft 365 accounts and a wide range of sensitive information. The subscription-based service first appeared in April 2026, and scammers promoted it largely through Telegram.

According to Bitdefender, criminals can access the service for as little as $250 per month or $2,000 per year. What makes the threat particularly alarming is its ability to gain access to a user’s account without a password. The FBI stated that the platform lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, and OAuth token capture capabilities, along with real-time tracking dashboards targeting specific individuals or entities.

How the Attack Unfolds

The attack follows a deceptively simple sequence. It exploits user trust in legitimate Microsoft services. A victim receives a phishing email designed to look like it came from a trusted cloud service. The email contains a device code and instructs the recipient to visit a legitimate Microsoft verification page to enter it.

The moment the user enters the code, they unknowingly hand the attacker full access to their account. Once attackers obtain the authentication token, they gain the same access privileges as the legitimate user. This includes access to email, documents, calendar information, and other sensitive data stored across Microsoft 365 services. The entire process bypasses traditional security measures that many users consider reliable protection against unauthorized access.

FBI Dismantles Major Chinese Phishing Operation

The Kali365 warning comes as the FBI dismantled a major Chinese phishing-as-a-service operation called Outsider Enterprise. The FBI seized multiple administration servers, a Shopify e-commerce storefront, and an account the attackers used to test the phishing service. Law enforcement also seized around $100,000 in USDT cryptocurrency, redirected thousands of phishing pages to an FBI announcement site, and seized a Telegram bot that stored stolen information.

Phishing-as-a-Service represents a model where threat actors rent a kit that allows them to easily create fake login pages spoofing major brands. The services also enable criminals to send spam emails and SMS messages in bulk and exfiltrate stolen files. The FBI reports this particular PhaaS proved very popular in the cybercriminal community. The operation ran for roughly three years and generated around 9,000 fake websites, as well as at least one million fraudulent URLs.

Hackers used this PhaaS to steal more than 3.8 million credit card records, resulting in around $1.9 billion in losses. The scale of the operation demonstrates the significant financial impact these criminal services create across the digital economy. Google followed the FBI’s action by filing a civil lawsuit against the PhaaS infrastructure and partnering with major telecommunications providers to block fraudulent messages before they reach their targets.

Google Takes Legal Action

“Our civil lawsuit targets an organized cybercrime operation known as the ‘Outsider Enterprise’. Based in China and coordinating through Telegram, this network distributes ‘phishing kits’ that allow criminals to blast out fake text campaigns that look like they’re from Google and other trusted brands,” Google stated.

Google claims that in just two weeks, criminals sent around 2.5 million fraudulent SMS messages to targets using Android devices. Users flagged only 55,000 of them as fraudulent, highlighting the sophisticated nature of these attacks and the difficulty users face in identifying them. The operation, which the FBI calls Operation Ghost Hook, seized the infrastructure behind a subscription kit that law enforcement ties to 3.87 million stolen cards.

Low Barrier to Entry for Cybercriminals

Zero technical skill was required to operate the Outsider software. Subscribers simply paid $88 per week or $200 per month via a self-service Telegram bot before choosing from more than 290 pre-built templates. These templates impersonated banks, wireless carriers, government agencies, state DMVs, the U.S. Postal Service, and toll systems such as New York’s E-ZPass.

The kit captured victim data in real time and could request SMS codes, PINs, email codes, and app approvals on demand. This capability allowed operators to retrieve one-time passcodes for two-factor authentication, effectively neutralizing a security measure millions of users depend on. Fake E-ZPass and other toll texts have driven a wave of fraud over the past two years, demonstrating how criminals adapt their tactics to exploit everyday digital interactions.

AI-Powered Phishing Tools

Google’s filing alleges Outsider distributed step-by-step instructions, including a tutorial video, showing customers how to make Gemini write the HTML for a phishing page. The prompts appeared as requests for an innocuous “gift redemption page” built with inline CSS and no JavaScript, wording designed to read as ordinary coding help and avoid the model’s safety filters. The resulting shell was imported back into the Outsider software and became a working scam site, multiplying the variations available from the 290 templates.

Google has previously reported nation-state hackers using Gemini across phishing and intrusion campaigns, and researchers last year demonstrated a Gemini for Workspace flaw that obeyed instructions hidden inside emails. Brett Leatherman from Google noted the increasing sophistication of these attacks.

“Criminals increasingly use AI to make fraud like this more convincing and harder to detect,” Leatherman stated.

Protecting Against Modern Phishing Threats

The combined threat of Kali365 and similar phishing-as-a-service operations highlights the evolving nature of cybercrime. Traditional security measures no longer provide adequate protection against sophisticated attacks that bypass passwords entirely. Users must remain vigilant about unsolicited emails requesting device code verification, even when those emails appear to come from legitimate sources. Organizations should implement additional security layers beyond multifactor authentication and educate employees about the latest phishing techniques.

The FBI’s coordinated action with Google and Lumen Technologies demonstrates law enforcement’s commitment to disrupting these criminal networks. However, the low cost and ease of access to these phishing tools suggest new services will likely emerge to replace those shut down. The cybersecurity community faces an ongoing challenge as artificial intelligence makes it increasingly simple for criminals with minimal technical knowledge to launch convincing attacks at scale.

The post FBI Issues Urgent Warning as Microsoft 365 Users Face New Phishing Threat appeared first on The Daily Update.