Kali365 Token-Stealing Microsoft 365 Scam — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 28, 2026

Severity: HIGH | View Full Scam Details

Kali365 Token-Stealing Microsoft 365 Scam India 2026: Beware of This High-Risk Phishing Attack

The Kali365 token-stealing scam is a rising cyber threat in India during 2026, targeting Microsoft 365 users with sophisticated phishing to steal login access.

What Is the Kali365 Token-Stealing Microsoft 365 Scam?

The Kali365 scam is a form of phishing attack aimed mainly at Indian Microsoft 365 users, particularly professionals who rely on this platform for corporate email, files, and collaboration tools. According to reports in cybercrime forums and complaints to Indian authorities, fraudsters impersonate trusted contacts or company executives and send highly targeted emails. These messages trick victims into logging into fake Microsoft 365 portals that harvest authentication tokens instead of passwords, which allow thieves to access corporate accounts without alerting typical password security.

This scam is widespread across India’s metro cities, especially in sectors like finance, human resources, and IT where Microsoft 365 is critical to daily operations. Cybersecurity experts share a consensus that scammers use social media and professional networking sites like LinkedIn to study organisational hierarchies and select high-value targets with access to sensitive financial or employee records.

The Indian Computer Emergency Response Team (CERT-In) along with the Indian Cybercrime Coordination Centre (I4C) has issued warnings about token-stealing techniques, urging organisations to educate employees on identifying phishing attempts. While no direct RBI advisory mentions Kali365 by name, the Reserve Bank of India continuously emphasizes vigilance against scams targeting enterprise email and payment systems connected via platforms like UPI.

How This Scam Works — Step by Step

1. Target Identification: Scammers scan LinkedIn, Facebook, or company websites to identify employees in departments like Finance, HR, and IT with access to Microsoft 365 credentials.

2. Pretext Setup: The fraudster creates a believable pretext by impersonating a colleague or manager within the same organisation. Sometimes they reference ongoing projects or recent announcements to build trust.

3. Phishing Email Sent: The victim receives a convincing email that looks like an official Microsoft 365 notification or an urgent request for document review. The email includes a link supposedly to the Microsoft login page, but it actually leads to a counterfeit portal controlled by the scammer.

4. Token Harvesting: When the victim enters credentials, the fake page captures the authentication token that Microsoft 365 uses to validate access without re-checking passwords later. This token gives scammers persistent entry into the victim’s account.

5. Account Takeover & Data Abuse: Using stolen tokens, fraudsters access emails, corporate files, and even financial transaction workflows. They may initiate fraudulent fund transfers via UPI or bank portals linked from emails.

6. Money Theft or Data Leak: Victims lose funds directly through fraudulent UPI payments or suffer indirect losses from leaked sensitive company data, affecting reputations and causing operational disruption.

Real Warning Signs to Watch For

• Unexpected Microsoft 365 login requests sent by unknown or unusual internal email addresses.
• Emails with urgent tone demanding immediate action on links that do not show the official Microsoft 365 domain (check for URLs like login.microsoft365-support.com).
• Requests to enter credentials on pages that do not use HTTPS or show certificate warnings.
• Inconsistencies in email formatting, spelling mistakes, or unusual greetings (e.g., “Dear User” instead of your name).
• Unexpected requests to approve login from a device or location you don’t recognize.
• Notifications of Microsoft 365 activity you did not initiate.
• Sudden lockouts from your Microsoft 365 account or receiving alerts about suspicious activity after clicking an email link.

What Happens to Victims

Victims often face loss of access to their Microsoft 365 accounts, compromising sensitive corporate emails and files. In finance departments, stolen tokens can facilitate fraudulent UPI or bank transactions, causing direct financial loss in INR. Victims may also experience Aadhaar data misuse if emails contain HR-related personal information, increasing risks of identity theft.

Emotionally, victims suffer stress and loss of trust in workplace communication channels. Recovery is often slow since stolen tokens bypass password changes, requiring in-depth IT forensic intervention. Affected companies may report disruptions to their RBI-linked banking partners and CERT-In to mitigate further risk.

What RBI and CERT-In Say

RBI regularly issues circulars warning banks and customers about phishing and identity-theft frauds relating to UPI and online banking. The central bank advises users to never share credentials or one-time passwords (OTPs).

CERT-In has emphasised in its public advisories on phishing and token theft that users should be alert to targeted social engineering and verify hyperlinks before clicking, especially in corporate email environments. The national cybercrime helpline — dial 1930 — is available for victims to report such scams immediately. I4C also coordinates with local police and cybersecurity agencies to track and respond to token-stealing scams in India.

How to Protect Yourself

1. Verify Email Sender: Double-check sender email addresses, especially those claiming to be IT or HR departments. Official emails usually come from verified company domains.

2. Avoid Clicking Unknown Links: Hover over URLs to inspect the actual web address before clicking. Do not trust shortened or suspicious-looking links.

3. Use Multi-Factor Authentication (MFA): Enable MFA on Microsoft 365 accounts to add an extra verification layer beyond passwords or tokens.

4. Educate Yourself and Colleagues: Conduct regular phishing awareness training focused on recognising token theft tactics.

5. Report Suspicious Emails: Use your corporate phishing-reporting tool or forward suspicious mail to CERT-In or your IT team.

6. Check Account Activity: Periodically review recent Microsoft 365 login history and revoke unknown sessions.

7. Update Passwords and Security Info: Even with token theft, resetting passwords regularly can help disrupt attacker access.

What to Do If You've Been Targeted

• Immediately inform your organisation’s IT or cybersecurity team about the suspicious emails or potential token compromise.
• Freeze your Microsoft 365 account sessions via account security settings to block unauthorized access.
• Contact your bank and UPI payment provider if you notice any unauthorized transactions and request a payment reversal when possible.
• File a cybercrime complaint on cybercrime.gov.in providing all details related to the phishing attempt.
• Call the national cybercrime helpline at 1930 for guidance and to escalate the case.
• Change related passwords and review your Aadhaar-linked services for any unusual activity.

Frequently Asked Questions

Q: How can scammers steal tokens without my password?
Token stealing works by capturing your authentication token issued after you log in. This token acts like a digital key, letting scammers bypass the password step to access your Microsoft 365 account.

Q: Is enabling multi-factor authentication enough to stop this scam?
MFA significantly reduces risk but is not foolproof. Some advanced token theft attacks can steal token session cookies. Combining MFA with user awareness and monitoring is essential.

Q: Can I recover money lost through fraudulent UPI payments linked to this scam?
Recovery depends on your bank’s policies and reporting speed. Inform your bank immediately, request a reversal, and file complaints with cybercrime authorities for the best chance at a refund.

For any suspicious Microsoft 365 login requests or emails, always verify authenticity at BharatSecure.app. If you face fraud, report promptly at the 1930 cybercrime helpline to seek assistance.

Disclaimer: This article describes a pattern of fraud reported in public sources for public-safety awareness. It is not legal, financial, or medical advice. To request correction or removal of any content, write to hello@bharatsecure.app.