The New Microsoft 365 Scam Defeats MFA; Proves Training Beats Tech

Date: 1 July 2026

Featured Image

Every few months a new Microsoft 365 scam comes along that quietly changes the rules. This one has earned an FBI warning, and it deserves the attention. But the most important lesson it teaches has almost nothing to do with the technical detail of the attack itself.

The lesson is this. This Microsoft 365 scam, also dubbed as Kali365, does not defeat your technology. It defeats your people. And that is a problem no software licence can solve on its own.

For years, organisations have poured money into tools. Firewalls, endpoint protection, and multi-factor authentication have all become standard. That investment matters. Yet this scam slips past one of the strongest of those controls, MFA, without breaking it. It targets the one part of your defence that no vendor can patch. The human being sitting at the keyboard.

A Quick Reminder of How it Works

The mechanics are worth understanding, because they explain exactly why this is a people problem.

Kali365 abuses a genuine Microsoft feature called the device code sign-in. This is the process that lets you approve a login for a device that is hard to type on, such as a smart TV. The attacker begins a login on their own machine and receives a short code from Microsoft. They then email your staff and pose as a trusted service. They ask the user to enter that code on the real Microsoft verification page.

Because the page is authentic, nothing looks wrong. There is no fake website to spot. There is no dodgy link to hover over. The user enters the code in good faith. The moment they do, Microsoft hands the attacker a valid access token. The intruder is now inside the account, past MFA, and free to read email and files for weeks.

No alarm sounds. From the system's point of view, a real user approved a real login. The only line of defence that could have stopped this was the person deciding whether to enter the code.

Technology Stops the Machine - Only People Stop the Con

This is the heart of the matter. Kali365 is not really a hacking tool in the traditional sense. It is a confidence trick delivered through a genuine system. It works by persuasion, not by force.

You cannot buy your way out of a confidence trick. You can only train your way out of it. A member of staff who pauses and thinks, "I did not start any login, so why am I being asked to approve one?" defeats this attack completely. A member of staff who has never been taught to ask that question does not stand a chance.

This is precisely why cyber security awareness cannot be treated as a box-ticking exercise. It has to change how people behave under pressure. It has to build an instinct that overrides the natural urge to be helpful and to act quickly when an email looks official.

That instinct is what our NCSC Assured Cyber Security and Privacy Essentials training is designed to build. The training takes non-technical staff through the real threats they face and explains them in plain language. It covers online scams, the psychology attackers use, and the simple habits that stop most attacks in their tracks. Crucially, it addresses the human factor directly. Staff learn why they are targeted and how to recognise the moment when something is not right.

A threat like Kali365 is exactly the kind of scenario this training prepares people for. The rule that beats it is short and memorable. If you did not begin a login yourself, never approve a code, no matter how genuine the page appears. A workforce that has internalised that single principle has already closed the door on this attack. 

The Decisions That Matter Most Happen at the Top

Staff awareness is only half the story. Kali365 also raises hard questions for leadership, and those questions cannot be delegated to the IT team alone.

Consider what a business actually has to decide in response to this threat. Should the device code flow be switched off across the organisation? Where are the genuine exceptions, such as shared kiosks, that would be disrupted if it were? How quickly must staff report a suspected slip, and what is the plan when someone does report one? Who takes charge if a mailbox is compromised and used to attack customers?

These are not purely technical choices. They are business decisions with legal, financial, and reputational weight. They belong in the boardroom. Yet many senior leaders have never been asked to make a decision like this under realistic pressure. They understand cyber risk as an abstract idea. They have rarely felt what it is like to lead through a live incident where information is incomplete and the clock is running.

This is the gap our Crisis Management Training for Executives is built to close. The session is designed for boards, senior leaders, and decision-makers rather than technical specialists. It focuses on the decisions leaders have to own when a crisis hits. It helps them understand when an incident becomes a genuine crisis and what changes in that moment. It clarifies who does what across leadership, legal, communications, and beyond. And it gives leaders the confidence to act decisively rather than freeze.

An attack like Kali365 is a perfect example of why this matters. The technical containment may take minutes. The leadership response, including how you communicate with staff, customers, and regulators, can define whether the incident becomes a footnote or a headline.

Security Awareness and Leadership Must Work Together

Here is the point that ties everything together. Staff awareness and executive readiness are not separate concerns. They are two halves of the same defence.

A well-trained workforce reduces the number of incidents that ever begin. When something does slip through, prepared leadership decides how bad it becomes. One without the other leaves a dangerous gap. Aware staff with unprepared leaders will report a problem into a vacuum. Prepared leaders with untrained staff will simply face more incidents to manage.

Kali365 shows why both layers are needed at once. The attack starts with a single person and a single code. It ends with a decision about how the whole organisation responds. Everything in between depends on human judgement.

Turning the Warning into Action

The FBI warning about Kali365 will fade from the headlines soon enough. The underlying lesson will not. Attackers have learned that the fastest route past strong technology is the person using it. That approach is not going away. If anything, it will grow as more of these criminal toolkits appear.

The sensible response is to strengthen the human layer of your defence with the same seriousness you apply to your technology. That means giving every member of staff the awareness to spot a manipulation attempt. It also means giving your leaders the practice to respond well when awareness alone is not enough.

At Cyber Management Alliance, this is the work we do every day. Our Cyber Security and Privacy Essentials training builds the everyday vigilance that stops attacks like Kali365 at the first click. Our Crisis Management Training for Executives prepares your leaders to make sound decisions when a crisis lands on their desk. Together they turn your people from your greatest vulnerability into your strongest line of defence.

Kali365 is a reminder that cyber security has never been only about machines. It has always been about people. The organisations that take that truth seriously are the ones that come through incidents like this intact.

Don't wait for a scam like this to test your team. The Microsoft 365 device code scam succeeds when people aren't prepared and leaders haven't practised their response. We help you fix both.

Our Cyber Security and Privacy Essentials training builds everyday vigilance across your workforce, while our Crisis Management Training for Executives prepares your leaders to make sound decisions under real pressure. Book a discovery call with us today and turn your people into your strongest line of defence.