The Federal Bureau of Investigation issued a stark warning this month. Cybercriminals now wield a subscription service called Kali365 to hijack Microsoft 365 accounts. They don’t need passwords. They don’t battle multi-factor authentication prompts. They simply trick users into a few clicks on legitimate Microsoft pages. First spotted in April 2026, the platform sells access to AI-generated lures, ready-made campaign templates, live tracking dashboards and direct capture of OAuth tokens. Distributed mainly through Telegram channels, it has already fueled widespread campaigns against organizations of all sizes. FBI Internet Crime Complaint Center laid out the mechanics in plain language on May 21. Attackers send emails that look routine. They pose as invitations to schedule interviews, requests to review shared documents or alerts from trusted cloud services. The message contains a short device code and directs the recipient to visit a genuine Microsoft verification page. There the user enters the code.…