(Image credit: Getty Images)
If you use Microsoft Outlook, Teams or Microsoft 365 regularly, there’s a new scam making the rounds that’s worth paying attention to, especially because it doesn’t look like the typical phishing attack people are used to spotting.
The FBI recently warned that cybercriminals are using a more sophisticated approach to trick people into handing over access to their Microsoft accounts. And unlike older scams filled with fake websites, spelling mistakes or suspicious links, this one can appear surprisingly legitimate at first glance.
Security experts say the scam is spreading because it’s easier for cybercriminals to launch and harder for everyday users to recognize in the moment. Even people who use multi-factor authentication (MFA) can be vulnerable if they’re tricked into approving a login request they didn’t initiate.
Sign up for Kiplinger’s Free Newsletters
Profit and prosper with the best of expert advice on investing, taxes, retirement, personal finance and more – straight to your e-mail.
Profit and prosper with the best of expert advice – straight to your e-mail.
Here’s how the scam works, why it’s different from traditional phishing attacks and what Microsoft users can do to better protect themselves.
How the Kali365 Microsoft scam works
The attack uses something called “device code phishing,” which sounds technical but is actually fairly simple once you understand how it works.
Microsoft’s device code login system is a legitimate feature designed for devices like smart TVs or streaming devices that don’t have easy keyboards. Instead of typing a password directly on the device, users are given a short code to enter on a Microsoft login page from another device. Scammers are now exploiting that process.
According to the FBI, the scam typically starts with an email or Teams message pretending to be from a trusted service like SharePoint, OneDrive, Microsoft Teams or another document-sharing platform. The message often creates urgency by claiming you need to open a file, review a document or respond quickly to a request.
The victim is then instructed to visit a real Microsoft login page and enter a provided device code.
Because the website itself is legitimate, many people assume the request is safe. But entering that code actually authorizes the attacker’s device to access the account. Once the victim completes the authentication process, the hacker can capture account tokens that allow ongoing access to Outlook, Teams, OneDrive and other Microsoft 365 services.
Why this phishing attack is harder to spot
(Image credit: Getty Images)
Most people are taught to watch for phishing red flags like fake websites, misspelled company names or suspicious URLs. This attack avoids many of those warning signs because the Microsoft login page itself is real. That means someone could still fall victim even if they carefully check the web address.
Instead, scammers rely heavily on urgency and impersonation tactics. Messages may appear to come from coworkers, clients or familiar services asking you to quickly review a file or complete a login step.
Cybersecurity experts say this shift reflects how phishing scams are evolving. Rather than stealing passwords directly, attackers are increasingly trying to steal authenticated sessions or access tokens that let them stay signed in without repeatedly triggering password or MFA checks.
Can hackers really bypass MFA?
In a way, yes, but not because MFA itself is broken. The FBI says attackers are not technically defeating multi-factor authentication. Instead, victims are unknowingly approving the login themselves through the legitimate Microsoft process.
That’s an important distinction because MFA is still one of the best protections available and should not be turned off.
However, this scam shows that MFA alone is no longer enough if users are tricked into approving unauthorized access requests.
Security experts still recommend using authenticator apps instead of SMS text-message verification when possible because app-based MFA generally offers stronger protection against other types of phishing attacks.
Don’t turn off multi-factor authentication (MFA)
This scam doesn’t break MFA — it tricks users into approving access. MFA remains one of the strongest defenses against account compromise.
Signs your Microsoft account may be compromised
One challenge with token-based attacks is that hackers can sometimes maintain access without immediately changing your password.
Still, there are a few warning signs that could indicate someone has gained access to your account:
- Unexpected MFA approval requests or login prompts
- Login alerts from unfamiliar devices or locations
- Emails sent from your Outlook account that you didn’t send
- Strange inbox rules, deleted emails or missing messages
- Password reset notifications you didn’t request
- Unusual Teams activity or messages
- New connected apps or permissions you don’t recognize
The FBI also warns that attackers may maintain persistent access until suspicious sessions or tokens are manually revoked.
How to protect your Outlook and Microsoft 365 accounts
(Image credit: Getty Images)
While scammers continue finding new ways to target users, a few habits can significantly reduce your risk.
Never enter a device code unless you initiated the login
This is one of the biggest takeaways from the FBI warning. If you receive an unexpected request asking you to enter a Microsoft device code, stop and verify the request independently before proceeding.
Be cautious with urgent Teams or email requests
Even if a message appears to come from someone you know, double-check unexpected requests involving logins, authentication approvals or document sharing.
Review active sessions and connected apps regularly
Microsoft accounts allow users to review signed-in devices and connected applications. Periodically checking for unfamiliar sessions or app permissions can help you spot suspicious activity earlier.
Turn on security alerts
Enable Microsoft security notifications so you receive alerts about suspicious logins, unusual activity or new devices accessing your account.
Use strong, unique passwords and a password manager
Even though this attack doesn’t rely on password theft, strong passwords still matter because attackers often combine multiple tactics.
What to do if you entered a suspicious device code
If you think you may have approved access for a scammer, act quickly.
The FBI recommends taking these steps immediately:
- Change your Microsoft password
- Signing out of all sessions can help invalidate authentication tokens attackers may be using to maintain access.
- Review and revoke any unfamiliar connected apps and permissions
- Review inbox forwarding rules for unauthorized changes
- Run antivirus or security scans on your devices
- Contact your employer’s IT department if it’s a work account
- Monitor financial and personal accounts for suspicious activity
You can also report phishing attempts or suspicious activity to the FBI’s Internet Crime Complaint Center (IC3) and through Microsoft’s security reporting tools.
Cybercriminals often use publicly available information to make phishing attacks appear more convincing. Data broker removal services such as Incogni and DeleteMe can help reduce the amount of personal information available online, including addresses, phone numbers and family relationships.
While these services won’t remove a hacker’s access to a compromised Microsoft account or stop a phishing attack already in progress, they may help reduce the amount of personal information criminals can use to impersonate trusted contacts or craft targeted scams.
Even as scammers evolve their tactics, awareness remains one of the most effective defenses. Understanding how device-code phishing works can help you recognize suspicious login requests and avoid granting access to attackers, even when the Microsoft login page itself is legitimate.
