Fake DocuSign or Microsoft email tricks you into entering a code that grants account access
A phishing email impersonating DocuSign or Adobe asks you to type a short code into Microsoft's real sign-in page. The code silently grants attackers full access to Outlook, Teams, and OneDrive — bypassing your password and MFA.
Also known as: Kali365 phishing, Microsoft device code phishing, OAuth token phishing, M365 account takeover, PhaaS Microsoft 365
Already happened to you? Do this in the next few minutes
- 1 Call your bank or card's fraud line right now. Use the number on the back of your card — not any number from the message or caller. Ask them to stop or reverse the payment and freeze the account.
- 2 If you paid by gift card, wire, or an app (Zelle, Venmo, Cash App): contact that company immediately and report it as fraud. Acting fast sometimes recovers the money.
- 3 Report to the FBI at ic3.gov and the FTC at reportfraud.ftc.gov. The sooner, the better.
What to do right now
- 1 Never enter a code from an unexpected email into any website, including real Microsoft pages — DocuSign and Adobe Sign never use Microsoft's device authorization flow to open a document
- 2 If you entered a device code, immediately go to myaccount.microsoft.com → Security → Manage connected apps and revoke all unfamiliar authorizations
- 3 Check your Outlook email rules and forwarding settings at once — attackers configure these within seconds of gaining access
- 4 Change your Microsoft password and sign out of all sessions at account.microsoft.com → Security → Sign-in activity
- 5 Report to the FTC at https://reportfraud.ftc.gov and the FBI's IC3 at https://www.ic3.gov.
Red flags
- ⚠ Email claims to be from DocuSign, Adobe Acrobat Sign, or SharePoint but asks you to authenticate on Microsoft's device login page — legitimate document services never work this way
- ⚠ You are directed to microsoft.com/common/devicelogin or aka.ms/devicelogin — entering the provided code on that real Microsoft page authorizes the attacker's device, not yours
- ⚠ Your MFA notification fires and completing it does NOT protect you once the device code has been entered — the attacker receives the access token regardless
- ⚠ Within seconds of you entering the code, attackers add email forwarding rules, export contacts, and access OneDrive
- ⚠ The platform behind this (Kali365) costs as little as $250/month and is available to non-technical criminals
Sources
- IC3 — PSA260521: Kali365 Phishing-as-a-Service Kit Hijacks Microsoft 365 Access Tokens (May 2026)
- BleepingComputer — FBI warns of Kali365 phishing service targeting Microsoft 365 accounts (May 2026)
- Malwarebytes — Kali365 phishing kit bypasses MFA and steals Microsoft logins (May 2026)
- Bitdefender — FBI warns Kali365 breaks into Microsoft 365 accounts without a password (May 2026)