The other day I wrote a post about session token theft, and the response made it clear this topic deserves to be expanded on. Most small business owners in Southwest Oklahoma have never heard the term, but it is now one of the most common attacks against Microsoft 365 accounts. It bypasses your password. It bypasses the approval prompt on your phone. By the time anyone notices, the attacker is already inside your email, your files, your Teams chats, and most likely your bank account.
The FBI just issued a warning about this exact attack
On May 21, the FBI published an advisory about a new phishing-as-a-service kit called Kali365 that is built to do exactly this. Kali365 first emerged in April 2026 and is distributed through Telegram channels to cybercriminals looking for an easier way to compromise Microsoft 365 accounts without stealing passwords or intercepting MFA codes. The American Banker coverage of the warning put it plainly. Device-code phishing bypasses multifactor authentication by stealing the session token a user receives after passing the multifactor check. The second factor is satisfied, then sidestepped. In other words, the FBI is now telling business owners what we have been telling clients for months. MFA is a checkpoint, not a finish line. Bleeping Computer | American Banker
What a session token actually is
When you sign into Microsoft 365 and approve the login prompt on your phone, Microsoft hands your computer a digital hall pass. That hall pass is called a session token. It proves you are signed in, so you do not have to retype your password and reapprove every click for the rest of the day. The session token is what attackers want now. If they steal that hall pass, they do not need your password and they do not need your phone.
How session token theft works
A scammer sends you a phishing email with a link or a code that looks like a real Microsoft prompt. You enter your information and approve the login like always. Microsoft sees a valid login and issues a session token. The attacker captures that session token in transit, loads it onto their own computer, and walks right into your account fully signed in.
What attackers do once they are inside
Stealing the session is only the first step. The attacker quickly adds their own phone or app as a new login method, changes your password, and removes your real login methods so you cannot get back in. That is it, you are locked out of your own account. Then they set up inbox rules that forward your email to an address they control. If the hijacked account has admin rights, the damage spreads across the entire tenant.
How to protect your Microsoft 365 tenant
Every Wolferdawg IT Consulting client tenant runs customized Microsoft sign-in branding, so users always see their company logo and background after typing their email. No logo, no login. Behind the scenes, we layer in conditional access policies that detect when a session token is being used from the wrong device or the wrong location, phishing-resistant login methods like FIDO2 security keys, restrictions on who can change login methods and passwords, and regular reviews of which apps users have granted access to in Microsoft 365.
The bottom line for Southwest Oklahoma business owners
The FBI does not issue warnings about theoretical threats. You can rest assured that session token theft is happening right now to small businesses across the country, and the tools to carry it out are being sold on Telegram for anyone to use. If your Microsoft 365 setup has not been reviewed against this kind of attack, that is the gap worth closing this quarter.
Wolferdawg IT Consulting hardens Microsoft 365 tenants for small and mid-size businesses across Southwest Oklahoma. Call (580) 956-8424 or visit wolferdawg.io to schedule a review.