By Jon Fingas
Publication Date: 2026-05-25 18:14:00
You’ll want to be careful before signing in to your Microsoft 365 account from an outside prompt, even if you’re vigilant. The FBI says a new scam based on the Kali365 phishing-as-a-service platform can bypass multi-factor authentication (MFA) by tricking users into approving legitimate Microsoft logins.
According to a public service announcement, hackers are exploiting a system Microsoft put in place to enable MFA for hardware with limited input, such as smart TVs and streaming media players. The intruders start the authentication process and use phishing or social engineering to persuade users to enter the short device code on a real Microsoft website. After they do, Microsoft’s system supplies an access token that lets perpetrators hijack accounts without completing the MFA solutions themselves.
…