The New Microsoft 365 Scam Defeats MFA; Proves Training Beats Tech


Date: 1 July 2026

Featured Image

Every few months a new Microsoft 365 scam comes along that quietly changes the rules. This one has earned an FBI warning, and it deserves the attention. But the most important lesson it teaches has almost nothing to do with the technical detail of the attack itself.

The lesson is this. This Microsoft 365 scam, also dubbed as Kali365, does not defeat your technology. It defeats your people. And that is a problem no software licence can solve on its own.

For years, organisations have poured money into tools. Firewalls, endpoint protection, and multi-factor authentication have all become standard. That investment matters. Yet this scam slips past one of the strongest of those controls, MFA, without breaking it. It targets the one part of your defence that no vendor can patch. The human being sitting at the keyboard.

A Quick Reminder of How it Works

The mechanics are worth understanding, because they explain exactly why this is a people problem.

Kali365 abuses a genuine Microsoft feature called the device code sign-in. This is the process that lets you approve a login for a device that is hard to type on, such as a smart TV. The attacker begins a login on their own machine and receives a short code from Microsoft. They then email your staff and pose as a trusted service. They ask the user to enter that code on the real Microsoft verification page.

Because the page is authentic, nothing looks wrong. There is no fake website to spot. There is no dodgy link to hover over. The user enters the code in good faith. The moment they do, Microsoft hands the attacker a valid access token. The intruder is now inside the account, past MFA, and free to read email and files for weeks.

No alarm sounds. From the system’s point of view, a real user approved a real login. The only line of defence that could have stopped this was the person deciding whether to enter the code.

Technology Stops the Machine – Only People Stop the Con

This is the heart of the matter. Kali365 is not really a hacking tool in the traditional sense. It is a confidence trick delivered through a genuine system. It works by persuasion, not by force.

You cannot buy your way out of a confidence trick. You can only train your way out of it. A member of staff who pauses and thinks, “I did not start any login, so why am I being asked to approve one?” defeats this attack completely. A member of staff who has never been taught to ask that question does not stand a chance.

This is precisely why cyber security awareness cannot be treated as a box-ticking exercise. It has to change how people behave under pressure. It has to build an instinct that overrides the natural urge to be helpful and to act quickly when an email looks official.

That instinct is what our NCSC Assured Cyber Security and Privacy Essentials training is designed to build. The training takes non-technical staff through the real threats they face and explains them in plain language. It covers online scams, the psychology attackers use, and the simple habits that stop most attacks in their tracks. Crucially, it addresses the human factor directly. Staff learn why they are targeted and how to recognise the moment when something is not right.

A threat like Kali365 is exactly the kind of scenario this training prepares people for. The rule that beats it is short and memorable. If you did not begin a login yourself, never approve a code, no matter how genuine the page appears. A workforce that has internalised that single principle has already closed the door on this attack. 

The Decisions That Matter Most Happen at the Top

Staff awareness is only half the story. Kali365 also raises hard questions for leadership, and those questions cannot be delegated to the IT team alone.

Consider what a business actually has to decide in response to this threat. Should the device code flow be switched off across the organisation? Where are the genuine exceptions, such as shared kiosks, that would be disrupted if it were? How quickly must staff report a suspected slip, and what is the plan when someone does report one? Who takes charge if a mailbox is compromised and used to attack customers?

These are not purely technical choices. They are business decisions with legal, financial, and reputational weight. They belong in the boardroom. Yet many senior leaders have never been asked to make a decision like this under realistic pressure. They understand cyber risk as an abstract idea. They have rarely felt what it is like to lead through a live incident where information is incomplete and the clock is running.

This is the gap our Crisis Management Training for Executives is built to close. The session is designed for boards, senior leaders, and decision-makers rather than technical specialists. It focuses on the decisions leaders have to own when a crisis hits. It helps them understand when an incident becomes a genuine crisis and what changes in that moment. It clarifies who does what across leadership, legal, communications, and beyond. And it gives leaders the confidence to act decisively rather than freeze.

An attack like Kali365 is a perfect example of why this matters. The technical containment may take minutes. The leadership response, including how you communicate with staff, customers, and regulators, can define whether the incident becomes a footnote or a headline.

Security Awareness and Leadership Must Work Together

Here is the point that ties everything together. Staff awareness and executive readiness are not separate concerns. They are two halves of the same defence.

A well-trained workforce reduces the number of incidents that ever begin. When something does slip through, prepared leadership decides how bad it becomes. One without the other leaves a dangerous gap. Aware staff with unprepared leaders will report a problem into a vacuum. Prepared leaders with untrained staff will simply face more incidents to manage.

Kali365 shows why both layers are needed at once. The attack starts with a single person and a single code. It ends with a decision about how the whole organisation responds. Everything in between depends on human judgement.

Turning the Warning into Action

The FBI warning about Kali365 will fade from the headlines soon enough. The underlying lesson will not. Attackers have learned that the fastest route past strong technology is the person using it. That approach is not going away. If anything, it will grow as more of these criminal toolkits appear.

The sensible response is to strengthen the human layer of your defence with the same seriousness you apply to your technology. That means giving every member of staff the awareness to spot a manipulation attempt. It also means giving your leaders the practice to respond well when awareness alone is not enough.

At Cyber Management Alliance, this is the work we do every day. Our Cyber Security and Privacy Essentials training builds the everyday vigilance that stops attacks like Kali365 at the first click. Our Crisis Management Training for Executives prepares your leaders to make sound decisions when a crisis lands on their desk. Together they turn your people from your greatest vulnerability into your strongest line of defence.

Kali365 is a reminder that cyber security has never been only about machines. It has always been about people. The organisations that take that truth seriously are the ones that come through incidents like this intact.

Don’t wait for a scam like this to test your team. The Microsoft 365 device code scam succeeds when people aren’t prepared and leaders haven’t practised their response. We help you fix both.

Our Cyber Security and Privacy Essentials training builds everyday vigilance across your workforce, while our Crisis Management Training for Executives prepares your leaders to make sound decisions under real pressure. Book a discovery call with us today and turn your people into your strongest line of defence.

 





Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Recent Reviews


Microsoft has spent the last several years pushing Copilot and new user interface designs, which has meant that several great features included with Windows don’t get the recognition that they deserve. These are some of my favorites that will run on any Windows 11-compatible PC.

Clipboard history remembers everything you copy

Win+V replaces one of the oldest frustrations in computing

Windows’s default clipboard has been a source of minor but constant annoyance: it holds exactly one thing. If you copy something new, the previous item is wiped out. It is enough of a problem that multiple third-party apps were created to address the shortcoming.

Now, Windows has Clipboard History built in, though it isn’t enabled by default. To turn it on, press Windows+i, then navigate to System > Clipboard, and click the toggle next to Clipboard history.

Once it is enabled, you can press Win+V to view up to 25 items in your clipboard history, including text, images, and links.

If you have specific pieces of information you use daily—like an email signature, a common code snippet, or a home address—you should pin up some of those items. Pinned items persist between system reboots and clipboard history clears, which means you never have to hunt to find something when you need it.

You can even enable sync in the Clipboard settings, allowing your copied text to follow you between different PCs signed in to the same Microsoft account. Once you get into the habit of using Win+V, the standard copy-paste function will feel useless by comparison.

Voice typing actually works now

Win+H lets you write with your voice

Notepad with Windows Voice Typing popup visible.

Windows dictation software has a reputation for being clunky and difficult to use, but that isn’t the case anymore. Thanks to the improvements in AI that we’ve seen since 2024, voice typing accuracy has improved significantly, especially for technical vocabulary. You don’t have to spend your time manually fixing formatting either. The tool supports punctuation commands like “period,” “new line,” and “question mark,” which prevents your text from turning into a rambling mess.

To use voice typing, press Windows+H anywhere there is a text field.

While it isn’t a full replacement for high-end professional software, it is free, built-in, and more than good enough for long-form writing, taking down a sudden idea, or writing quick messages when your hands are full.

Snap layouts make window management effortless

Hover over the maximize button and pick a layout

Notepad with the Windows Snap Layout window visible.

You can manually drag windows to the edges of your screen to split your display up, but you’re doing more work than is necessary in most cases. Windows’ Snap Layouts allow you to instantly arrange your Windows into predefined halves, thirds, or quarters. Just hover over the maximize button on any window or press Win+Z.

One of the most practical aspects of this system is the Snap Group. If you snap a browser and a document side-by-side, Windows remembers them as a pair. When you Alt+Tab, you can bring the entire group back together.

Live captions transcribe any audio on your device

Real-time subtitles for anything you’re watching

You can enable real-time subtitles for any audio playing through your speakers by going to Settings > Accessibility > Captions, or by pressing Win+Ctrl+L. The audio is processed locally on your device; nothing is sent to the cloud, which is critical if you’re privacy conscious or if whatever you’re captioning demands confidentiality.

I’ve mostly taken to using it when it is too hot to wear my headphones. I can just toggle it on and keep watching without disrupting anyone around me.

There are some hardware requirements you need to meet. Basic same-language captioning works on any Windows 11 PC running 22H2 and up, but if you want real-time translation, you will need Copilot+ hardware with an NPU and at least Windows 11 24H2.


The NZXT Capsule Elite USB microphone sitting on a desk.


Windows 11’s voice typing convinced me to skip Wispr Flow and other premium apps

Windows lets me turn my rambling thoughts into notes without typing anything.

Dynamic Lock locks your PC when you walk away

Pair your phone via Bluetooth and your computer can lock itself automatically

I can’t count how many times I’ve stepped away from my PC only to think, “Dang, I forgot to lock my PC.”

Fortunately, Windows has an easy way to handle that automatically by pairing your phone with your PC. When your phone gets out of range (about 20 feet in my house, though your wall materials and layout will affect that), your computer will automatically lock after about 30 seconds. There is no need to install a separate app on your phone, the setup just uses the Bluetooth connection itself. While the 30-second delay means it isn’t a guarantee no one can access my PC, it does mean it won’t remain unlocked if I step away for a long time.

I especially like this feature when I’m working on my laptop in public.

You can enable Dynamic Lock by navigating to Settings > Bluetooth & devices and pairing your phone, then enabling Dynamic Lock in Settings > Accounts > Sign-in options.


Microsoft includes tons of great tools if you dig for them

These tools aren’t alone either. There are tons of practical tools buried in Windows, unappreciated and underutilized.

Each of these tools takes less than a minute to enable, but they can make a significant difference in your day-to-day workflow. It is worth the small investment of time to find them and set them up.

If you’re looking for even more advanced customization options, I’d recommend checking out Microsoft PowerToys. It gives you a huge range of fantastic tools that make Windows much more pleasant to use.



Source link