What to do if I shared my credentials in a phishing scam?

Immediately change your password and enable Multi-Factor Authentication. Report the incident to your IT department and inform your bank about any potential fraud.

How can I identify the Kali365 Token-Stealing Microsoft 365 Scam?

Look out for emails asking you to log in via unfamiliar links, requests for OAuth permissions without context, or threats regarding session expiry.

How can I report this type of scam in India?

You can report the scam by calling the Cybercrime Helpline at 1930 or filing a complaint at cybercrime.gov.in.

How can I recover money or protect my account after this scam?

Inform your bank about the scam, change your passwords, and consider freezing any financial accounts linked to the compromised email until they are verified.

Kali365 Token-Stealing Microsoft 365 Scam

INDIA — By BharatSecure Threat Intelligence Team · Updated May 28, 2026

Verdict: Suspicious | Risk Score: 7/10 | Severity: high

Category: Phishing

How Kali365 Token-Stealing Microsoft 365 Scam Works

Overview: The Kali365 scam is a rapidly spreading fraud pattern targeting Indians using Microsoft 365 (Office 365) for email or business collaboration. Unlike typical phishing that steals passwords, this attack harvests authentication tokens, allowing cybercriminals to access accounts even if Multi-Factor Authentication (MFA) is enabled. The stolen access typically leads to business email compromise, payment fraud, and data theft within Indian companies and government institutions. How It Works: 1. Scam emails using AI-generated content or lures are sent to targeted employees or students. 2. The emails contain links to fake Microsoft login pages designed to trick users into granting OAuth permissions for malicious apps. 3. When the victim 'logs in,' the attacker captures an authentication token, which enables long-term access—bypassing even MFA. 4. The attacker uses the compromised Microsoft 365 mailbox for internal corporate scams or to alter payment details in invoices. 5. Stolen tokens and access logs are traded on Telegram or dark-web forums. India Angle: India has millions of Microsoft 365 users in corporates, startups, and the public sector. The scam specifically targets professionals and educational institutions in urban metros like Bengaluru, Mumbai, Hyderabad, and Delhi NCR, impacting employees who deal with invoices or sensitive data. Real Examples: - “Your Microsoft account session has expired. Login here to avoid data loss: [fake URL]” - “Urgent: Update Employee Directory. Click link and login with Microsoft Office 365 details.” Red Flags: - Unexpected emails asking you to grant permissions to unknown apps - Login requests through unfamiliar URLs (not office.com or microsoft.com) - Messages about ‘session expiry’ or 'urgent updates' on a routine day - Email senders with suspicious domain names Protective Measures: - Verify sender address[ADDRESS_REDACTED] - Never approve OAuth app permissions unless you initiated the request - Regularly review connected third-party apps in your Microsoft 365 security settings - Enable security alerts for new logins from unknown locations If Victimised: - Immediately change your Microsoft password and revoke suspicious app access - Notify your IT or security team - Report the incident at cybercrime.gov.in - Monitor outgoing emails and transactions for signs of tampering Related Scams: - Invoice fraud or CEO email impersonation attacks - Internal HR or payroll compromise via fake login pages - Credential stuffing via infostealer logs

How This Scam Works — Detailed Explanation

The Kali365 Token-Stealing Microsoft 365 Scam is targeting a wide swath of Indian users who rely on Microsoft 365 for their email and collaboration needs. Scammers exploit various online platforms, including social media and professional networking sites like LinkedIn, to identify potential victims. These criminals study company hierarchies and seek out employees in finance, HR, and IT departments who are more likely to have access to sensitive information. By posing as familiar contacts or authority figures, they send targeted phishing emails that prompt users to log in to what appears to be a legitimate Microsoft 365 portal, but is actually a counterfeit site designed to harvest authentication tokens.

To lure victims into their traps, phishing emails contain psychological tricks aimed at creating a sense of urgency. Scammers may use subject lines that mention pending approvals, financial transactions, or internal team updates to grab the recipient's attention. In the body of the email, they might include threats of session expiry or the words "important" and "immediate action required" to further press the victim. Often, these emails are from addresses that closely resemble legitimate Microsoft domains, leading the victim to believe they are in safe hands. Furthermore, there are OAuth permission requests embedded in these emails that lack any prior context or description, leading victims to unwittingly permit the app to access their accounts.

Once a victim is tricked into providing their authentication token, the subsequent steps can be devastating. Cybercriminals can log in to the compromised Microsoft 365 account, which may contain sensitive customer information, financial data, or proprietary business communications. For example, a finance employee at a small firm may have their Microsoft 365 account accessed, allowing the hackers to create fake payment requests. This method can lead to direct losses via digital payment systems like UPI or unauthorized Aadhaar-linked transactions. Victims may also find their accounts being utilized to spread further scams, leading to a cascading set of fraudulent activities that may tarnish their company's reputation and digital integrity.

The real-world impact of the Kali365 scam is significant. According to recent reports, over ₹1,200 crore has been lost in India due to various forms of online fraud in the last year, with phishing scams being a prominent contributor. As noted by the Ministry of Home Affairs (MHA) and the Reserve Bank of India (RBI), these types of scams are not only detrimental to individual victims but also present greater risks to national security and economic integrity. Furthermore, with cybercrime on the rise, the National Cyber Security Policy emphasizes the need for proactive measures, urging individuals and businesses to stay vigilant against the escalating threat.

Being able to differentiate between legitimate communications and potential scams is crucial. Be wary if you receive emails pushing for immediate logins or including strange links. Look for indicators such as poor grammar or spelling in the email, which can be telltale signs of phishing attempts. If the email requests OAuth permissions without any previous communication or context, that should raise immediate red flags. Always ensure that the link is directly linked to Microsoft's official domain before entering any credentials; you can also reach out to your IT department or use official channels to verify the authenticity of the contact before proceeding. Keeping a critical mindset towards unusual requests will greatly reduce the chances of falling victim to scams like Kali365.

Visual Intelligence:

BharatSecure's AI has identified this as a used in scams targeting Indian users.

Who Does Kali365 Token-Stealing Microsoft 365 Scam Target?

General public across India

Red Flags — How to Identify Kali365 Token-Stealing Microsoft 365 Scam

Emails urging Microsoft 365 login via strange links
OAuth app permission requests with no context
Threats of session expiry when not expected
Emails from address[ADDRESS_REDACTED]

What To Do If You Encounter Kali365 Token-Stealing Microsoft 365 Scam

Report any suspicious emails or activities immediately to the Cybercrime Helpline by dialling 1930 or visiting cybercrime.gov.in.
Change your Microsoft 365 password immediately if you suspect you have fallen victim to this scam.
Notify your bank about any potential payment fraud linked to your Microsoft 365 account for further investigation.
Consider enabling Multi-Factor Authentication (MFA) on your accounts to add an extra layer of security.
Educate your coworkers or family members about the signs of phishing attempts and how these scams operate.
Regularly review any linked applications requesting permissions to access your accounts and revoke suspicious ones.

How to Report Kali365 Token-Stealing Microsoft 365 Scam in India

Call 1930 — National Cyber Crime Helpline (24x7)
File a complaint at cybercrime.gov.in
Contact your bank immediately if money was lost
Call RBI helpline: 14440 for banking fraud

Frequently Asked Questions

What to do if I shared my credentials in a phishing scam?: Immediately change your password and enable Multi-Factor Authentication. Report the incident to your IT department and inform your bank about any potential fraud.
How can I identify the Kali365 Token-Stealing Microsoft 365 Scam?: Look out for emails asking you to log in via unfamiliar links, requests for OAuth permissions without context, or threats regarding session expiry.
How can I report this type of scam in India?: You can report the scam by calling the Cybercrime Helpline at 1930 or filing a complaint at cybercrime.gov.in.
How can I recover money or protect my account after this scam?: Inform your bank about the scam, change your passwords, and consider freezing any financial accounts linked to the compromised email until they are verified.

Related Scams in India

Verify Any Suspicious Message

Check any suspicious message, link, or call for free at bharatsecure.app. BharatSecure uses AI to detect scams in real-time and protect Indian users.