New Microsoft 365 phishing threat bypasses multi-factor authentication

Potential compromise of sensitive data and account access for affected Microsoft 365 users, with possible identity theft and financial fraud implications.
They're not breaking the lock; they're stealing the key
How the Kali365 phishing campaign bypasses multifactor authentication by targeting session tokens instead of passwords.

A sophisticated phishing campaign known as Kali365 or EvilTokens is quietly rewriting the rules of digital trust, targeting Microsoft 365 users not by stealing passwords but by harvesting the session tokens that authentication itself produces. In doing so, it renders multifactor authentication — long held as the gold standard of account protection — insufficient on its own. The FBI and multiple security firms have raised alarms, signaling that this is not an isolated incident but a coordinated challenge to the assumptions underlying modern cybersecurity. It is a reminder that every lock, once widely trusted, eventually attracts those who study it most carefully.

  • Attackers have found a way to bypass MFA entirely by stealing session tokens — the digital keys issued after a successful login — rather than targeting passwords at all.
  • The campaign exploits legitimate authentication infrastructure, making malicious activity harder to distinguish from normal system behavior.
  • The FBI and multiple independent security firms have issued alerts, signaling the threat has reached a scale and sophistication that demands broad institutional attention.
  • Compromised accounts expose email, files, contacts, and sensitive data, with real consequences ranging from identity theft to financial fraud and weeks-long remediation efforts.
  • Security experts are urging organizations to move beyond MFA alone, toward token validation, anomalous login detection, and conditional access policies that add friction even after initial authentication.

A new phishing campaign is circulating that accomplishes something many believed had been largely addressed: bypassing multifactor authentication. Known as Kali365 or EvilTokens, the threat targets Microsoft 365 users not by stealing passwords but by harvesting session tokens — the digital keys a device receives after a successful login that confirm a user is authenticated.

The distinction matters enormously. Traditional phishing attacks steal credentials, and MFA stops them by requiring a second factor. But these attackers skip that step entirely. By obtaining the token itself, they inherit full account access — email, files, contacts, permissions — without ever triggering the MFA prompt. They are not breaking the lock; they are taking the key that is already in the user's hand.

What makes the campaign particularly difficult to counter is that it abuses legitimate authentication infrastructure rather than hacking it. The machinery being exploited is real and functional; it is simply being pointed in the wrong direction. This has drawn alerts from multiple security firms and, notably, from the FBI — a signal that the campaign has reached a scale warranting federal attention.

For organizations relying on Microsoft 365, the implications cut deep. MFA has been the standard recommendation for years, the thing you were supposed to do. This attack exposes it as necessary but not sufficient. Security experts are now pointing toward layered defenses: token validation that checks whether a token matches the device and location where it was issued, anomalous login detection that flags unusual access patterns, and conditional access policies requiring additional verification for sensitive operations even after initial login.

The broader significance is what this moment reveals about the security model many organizations believed was solid. As attackers grow more sophisticated, the industry is being forced to reckon with the fact that no single layer of protection holds forever — and that the answer lies not in any one tool, but in the depth of the defenses built around it.

A new phishing campaign is circulating that does something security experts thought they had largely solved: it gets past multifactor authentication. The threat, known by multiple names—Kali365 and EvilTokens among them—targets Microsoft 365 users by stealing the session tokens that keep them logged in, rather than going after passwords the way older phishing attacks do.

The mechanics are what make this dangerous. When you log into Microsoft 365, your device receives a token—essentially a digital key that proves you're authenticated. Normally, even if someone steals your password, multifactor authentication stops them cold: they'd need your phone, your authenticator app, or whatever second factor you've set up. But these attackers aren't trying to log in the traditional way. They're harvesting the tokens themselves, which means they bypass the entire MFA layer. They're not breaking the lock; they're stealing the key that's already in your hand.

The campaign exploits what appears to be a legitimate authentication mechanism—the attackers aren't hacking anything, they're abusing a system that's supposed to work. This is what makes it particularly insidious. The infrastructure they're leveraging is real and functional; they're just pointing it at the wrong target. Once they have a token, they can access a compromised account as if they were the actual user, with all the permissions and data access that entails.

The threat has drawn attention from multiple security firms and, notably, from the FBI itself. When federal law enforcement issues an alert about a phishing campaign, it signals that the problem has reached a scale worth their attention. The fact that multiple independent security researchers and organizations have identified and named this threat suggests it's not a one-off attack but a coordinated campaign with some sophistication behind it.

For organizations running Microsoft 365, the implications are serious. Multifactor authentication has become the standard security recommendation—the thing you're supposed to do to protect yourself. But this attack demonstrates that MFA alone is not sufficient. A compromised token gives attackers access to email, files, contacts, and whatever else lives in a Microsoft 365 account. Depending on the user's role, that could mean access to sensitive company data, customer information, or financial records. The human cost is real: identity theft, financial fraud, and the kind of account compromise that can take weeks to fully remediate.

The forward-looking advice from security experts points toward layered defenses. Organizations need to look beyond just requiring a second factor at login. Token validation—checking whether a token being used actually matches the device and location where it was issued—can catch stolen tokens in use. Anomalous login detection, which flags when an account is accessed from an unusual place or at an unusual time, provides another line of defense. Some organizations are also implementing conditional access policies that require additional verification for sensitive operations, even after initial login.

What makes this moment significant is that it exposes a gap in the security model many organizations thought was solid. Multifactor authentication is not a complete solution; it's one layer in what needs to be a more comprehensive approach. As attackers continue to evolve their methods, the security industry is being forced to evolve alongside them.

The campaign exploits legitimate authentication mechanisms rather than hacking systems, abusing the infrastructure that's supposed to protect users
— Security researchers tracking the threat
A Conversa do Hearth Outra perspectiva sobre a história
Inventor

So if multifactor authentication is supposed to stop phishing, how does stealing a token get around it?

Model

Because the token is what comes after MFA succeeds. Once you've logged in with your password and your second factor, your device gets a token that says "this person is authenticated." The attackers aren't trying to log in—they're stealing that proof of authentication that's already been granted.

Inventor

But how do they actually steal the token? Are they hacking Microsoft's servers?

Model

No, that's what's clever about it. They're using legitimate authentication flows—the same mechanisms Microsoft built. They're not breaking in; they're abusing the system's own logic to redirect tokens to themselves.

Inventor

So a user could have the strongest password in the world and still get compromised?

Model

Exactly. The password doesn't matter once the token is stolen. They have proof of authentication. They can read your email, access your files, impersonate you to colleagues. The password becomes irrelevant.

Inventor

Why is the FBI involved if this is just a phishing campaign?

Model

Because the scale and sophistication suggest it's not random. Multiple security firms have identified it independently, which means it's widespread enough to be a real threat to critical infrastructure and businesses. That's when federal law enforcement pays attention.

Inventor

What's the actual fix here?

Model

There isn't one simple fix. Organizations need to validate tokens—check that they're being used from the right device, the right location. They need to watch for unusual login patterns. Multifactor authentication is still important, but it can't be the only thing you rely on.

Quer a matéria completa? Leia o original em Google News ↗
Análise de cobertura

Como esta história foi coberta

Veja o Register completo deste dia →

1 veículos cobriram isto

O custo humano

0 de 1 reportagens nomearam as pessoas afetadas.

Enquadramento e foco

Nomeados como agindo: Unknown threat actors operating Kali365/EvilTokens phishing platform

Nomeados como afetados: Microsoft 365 users globally, at risk of account hijacking despite MFA protections

Com base na análise da Echo Harbor sobre como os veículos noticiaram esta história.

Fale Conosco FAQ