They're not breaking the lock; they're stealing the key
A sophisticated phishing campaign known as Kali365 or EvilTokens is quietly rewriting the rules of digital trust, targeting Microsoft 365 users not by stealing passwords but by harvesting the session tokens that authentication itself produces. In doing so, it renders multifactor authentication — long held as the gold standard of account protection — insufficient on its own. The FBI and multiple security firms have raised alarms, signaling that this is not an isolated incident but a coordinated challenge to the assumptions underlying modern cybersecurity. It is a reminder that every lock, once widely trusted, eventually attracts those who study it most carefully.
- Attackers have found a way to bypass MFA entirely by stealing session tokens — the digital keys issued after a successful login — rather than targeting passwords at all.
- The campaign exploits legitimate authentication infrastructure, making malicious activity harder to distinguish from normal system behavior.
- The FBI and multiple independent security firms have issued alerts, signaling the threat has reached a scale and sophistication that demands broad institutional attention.
- Compromised accounts expose email, files, contacts, and sensitive data, with real consequences ranging from identity theft to financial fraud and weeks-long remediation efforts.
- Security experts are urging organizations to move beyond MFA alone, toward token validation, anomalous login detection, and conditional access policies that add friction even after initial authentication.
A new phishing campaign is circulating that accomplishes something many believed had been largely addressed: bypassing multifactor authentication. Known as Kali365 or EvilTokens, the threat targets Microsoft 365 users not by stealing passwords but by harvesting session tokens — the digital keys a device receives after a successful login that confirm a user is authenticated.
The distinction matters enormously. Traditional phishing attacks steal credentials, and MFA stops them by requiring a second factor. But these attackers skip that step entirely. By obtaining the token itself, they inherit full account access — email, files, contacts, permissions — without ever triggering the MFA prompt. They are not breaking the lock; they are taking the key that is already in the user's hand.
What makes the campaign particularly difficult to counter is that it abuses legitimate authentication infrastructure rather than hacking it. The machinery being exploited is real and functional; it is simply being pointed in the wrong direction. This has drawn alerts from multiple security firms and, notably, from the FBI — a signal that the campaign has reached a scale warranting federal attention.
For organizations relying on Microsoft 365, the implications cut deep. MFA has been the standard recommendation for years, the thing you were supposed to do. This attack exposes it as necessary but not sufficient. Security experts are now pointing toward layered defenses: token validation that checks whether a token matches the device and location where it was issued, anomalous login detection that flags unusual access patterns, and conditional access policies requiring additional verification for sensitive operations even after initial login.
The broader significance is what this moment reveals about the security model many organizations believed was solid. As attackers grow more sophisticated, the industry is being forced to reckon with the fact that no single layer of protection holds forever — and that the answer lies not in any one tool, but in the depth of the defenses built around it.
A new phishing campaign is circulating that does something security experts thought they had largely solved: it gets past multifactor authentication. The threat, known by multiple names—Kali365 and EvilTokens among them—targets Microsoft 365 users by stealing the session tokens that keep them logged in, rather than going after passwords the way older phishing attacks do.
The mechanics are what make this dangerous. When you log into Microsoft 365, your device receives a token—essentially a digital key that proves you're authenticated. Normally, even if someone steals your password, multifactor authentication stops them cold: they'd need your phone, your authenticator app, or whatever second factor you've set up. But these attackers aren't trying to log in the traditional way. They're harvesting the tokens themselves, which means they bypass the entire MFA layer. They're not breaking the lock; they're stealing the key that's already in your hand.
The campaign exploits what appears to be a legitimate authentication mechanism—the attackers aren't hacking anything, they're abusing a system that's supposed to work. This is what makes it particularly insidious. The infrastructure they're leveraging is real and functional; they're just pointing it at the wrong target. Once they have a token, they can access a compromised account as if they were the actual user, with all the permissions and data access that entails.
The threat has drawn attention from multiple security firms and, notably, from the FBI itself. When federal law enforcement issues an alert about a phishing campaign, it signals that the problem has reached a scale worth their attention. The fact that multiple independent security researchers and organizations have identified and named this threat suggests it's not a one-off attack but a coordinated campaign with some sophistication behind it.
For organizations running Microsoft 365, the implications are serious. Multifactor authentication has become the standard security recommendation—the thing you're supposed to do to protect yourself. But this attack demonstrates that MFA alone is not sufficient. A compromised token gives attackers access to email, files, contacts, and whatever else lives in a Microsoft 365 account. Depending on the user's role, that could mean access to sensitive company data, customer information, or financial records. The human cost is real: identity theft, financial fraud, and the kind of account compromise that can take weeks to fully remediate.
The forward-looking advice from security experts points toward layered defenses. Organizations need to look beyond just requiring a second factor at login. Token validation—checking whether a token being used actually matches the device and location where it was issued—can catch stolen tokens in use. Anomalous login detection, which flags when an account is accessed from an unusual place or at an unusual time, provides another line of defense. Some organizations are also implementing conditional access policies that require additional verification for sensitive operations, even after initial login.
What makes this moment significant is that it exposes a gap in the security model many organizations thought was solid. Multifactor authentication is not a complete solution; it's one layer in what needs to be a more comprehensive approach. As attackers continue to evolve their methods, the security industry is being forced to evolve alongside them.
Citações Notáveis
The campaign exploits legitimate authentication mechanisms rather than hacking systems, abusing the infrastructure that's supposed to protect users— Security researchers tracking the threat
A Conversa do Hearth Outra perspectiva sobre a história
So if multifactor authentication is supposed to stop phishing, how does stealing a token get around it?
Because the token is what comes after MFA succeeds. Once you've logged in with your password and your second factor, your device gets a token that says "this person is authenticated." The attackers aren't trying to log in—they're stealing that proof of authentication that's already been granted.
But how do they actually steal the token? Are they hacking Microsoft's servers?
No, that's what's clever about it. They're using legitimate authentication flows—the same mechanisms Microsoft built. They're not breaking in; they're abusing the system's own logic to redirect tokens to themselves.
So a user could have the strongest password in the world and still get compromised?
Exactly. The password doesn't matter once the token is stolen. They have proof of authentication. They can read your email, access your files, impersonate you to colleagues. The password becomes irrelevant.
Why is the FBI involved if this is just a phishing campaign?
Because the scale and sophistication suggest it's not random. Multiple security firms have identified it independently, which means it's widespread enough to be a real threat to critical infrastructure and businesses. That's when federal law enforcement pays attention.
What's the actual fix here?
There isn't one simple fix. Organizations need to validate tokens—check that they're being used from the right device, the right location. They need to watch for unusual login patterns. Multifactor authentication is still important, but it can't be the only thing you rely on.