AccountRights.
Start diagnostic
AccountRights.
English EN Français FR Italiano IT
Start diagnostic My space
Account Takeover Microsoft 365 Phishing GDPR Recovery

Lost Your Microsoft Account to a Token-Theft Scam? How to Tell, and How to Get It Back

The FBI warned about phishing kits that bypass MFA by stealing login tokens. How to tell if your Microsoft account was hijacked, the recovery steps that work, and when to escalate.

AC
AccountRights Legal Research
11 min

Lost Your Microsoft Account to a Token-Theft Scam? How to Tell, and How to Get It Back

In May 2026 the FBI took the unusual step of issuing a public warning about a single phishing kit. Security researchers at Malwarebytes covered it too: a phishing-as-a-service platform nicknamed "Kali365" that hijacks Microsoft 365 accounts not by stealing your password, but by stealing the login token your account uses to stay signed in.

That distinction is the whole problem. Because the attacker walks off with the token rather than the password, your multi-factor authentication doesn't stop them — the code or app approval already happened. And because the stolen token keeps your session "remembered," they can sit inside your Outlook, OneDrive, and Teams for a long time, quietly, without ever logging in again.

It's tempting to file this under "business IT problem." It isn't only that. The same trick works against anyone with a personal Outlook or Microsoft 365 subscription. If you think your account has been taken over this way, here's how to confirm it and what to do about it.

How to tell if your account was actually hijacked

Token theft is designed to be quiet, so the signs are often small. Any one of these is worth a closer look:

  • A device or sign-in you don't recognise when you check your account activity at account.microsoft.com/devices.
  • Emails in your Sent folder you never wrote, or messages that have vanished from your inbox.
  • New inbox rules you didn't create — especially ones that forward your mail elsewhere or auto-delete certain messages. Attackers add these to keep reading your mail and to hide password-reset notices.
  • Password-reset or security alerts for other accounts (your bank, your socials) that you didn't request, which can mean someone is using your mailbox to pivot.
  • Contacts telling you they got a strange "shared document" or login request from your address.

If you're seeing these, treat the account as compromised and move quickly. With token theft, time matters more than usual, because the intruder's access lasts only as long as that stolen token stays valid — and your job is to invalidate it.

The recovery procedure, step by step

Do this from a device you trust and know is clean, not the one you suspect was involved.

  1. Change your password — but know it isn't enough on its own. Resetting the password is step one, but a stolen session token can sometimes outlive a password change. That's why the next step matters just as much.
  2. Sign out everywhere and revoke active sessions. In your Microsoft account security settings, use the option to sign out of all sessions and devices. For a work or school account, this is the point to call your IT administrator: only they can force-revoke the refresh tokens across the organisation and pull the intruder out for good.
  3. Remove unknown devices and connected apps. Review the devices listed under your account and remove any you don't recognise. Then check which third-party apps have permission to access your account, and revoke anything unfamiliar — consent granted to a rogue app is a common way attackers hold on.
  4. Re-check and reset your MFA. Look at the authenticator entries and phone numbers registered for security. Remove any you didn't add, and re-register your own.
  5. Hunt for the hidden inbox rules. Go through your mail rules and forwarding settings carefully and delete anything you didn't set up. This is the step people skip, and it's exactly how an attacker keeps reading your mail after you've changed the password.
  6. Confirm your recovery email and phone are still yours. Attackers often swap these so they can reset their way back in. Make sure both point to you.
  7. Check what was touched. Review OneDrive and SharePoint sharing links, and skim your mailbox for evidence of what was read or sent, so you know who else may need warning.

Report it

Reporting won't restore your account by itself, but it creates a record you may need later. In the US, the FBI takes reports at its Internet Crime Complaint Center (ic3.gov). In the EU, report to your national cybercrime unit, and — because email accounts hold personal data — you can also raise it with your national data protection authority, particularly if the breach exposed information about other people.

When recovery stalls — and where AccountRights fits

Most account takeovers can be unwound with the steps above. Some can't. You may find the account locked in a verification loop, "secured" by the attacker with recovery details changed to theirs, or simply unreachable because the provider's automated recovery flow keeps rejecting you. This is the same wall people hit with hijacked Facebook and Instagram accounts: the self-service tools run out, and there's no human on the other end.

To be clear about what we do and don't do: AccountRights is not technical support. We can't reset your password or log you back in, and the steps above are always the right place to start. Where we come in is the stage after that — when a legitimate owner has done everything correctly and the account is still out of reach, or when the loss has caused real harm.

At that point the levers change from technical to legal. Under the GDPR, you have a right of access to the data a provider holds about you and the decisions affecting your account, which can force the matter onto a legal desk instead of an automated queue and surface what actually happened. Depending on the facts and your country, further routes may apply. Our free diagnostic assesses, in under five minutes, whether your situation has the legal merit to escalate — and if it does, we connect you with an independent partner attorney who deals directly with the provider's legal department. You contract with that attorney yourself and see their fees in writing before any work begins.

Start your free diagnostic

The best recovery is not needing one

Worth repeating the one habit that defeats this entire class of attack: never enter a sign-in code on a Microsoft page just because an email, document share, or Teams invite told you to. Only do it when you started the sign-in, on your own device. Slow down, read the prompt, and be suspicious of unexpected login requests even when the page looks completely legitimate — with this scam, the page genuinely is Microsoft's. That's what makes it work.

Disclaimer: AccountRights is not a law firm, is not a technical support service, and does not provide legal advice. This article is general information, not advice on your specific situation, and is based on public reporting from the FBI and Malwarebytes. Outcomes depend on the facts of each case and are never guaranteed. For advice, speak to a qualified attorney.

Sources

Think your case has merit?

Our free diagnostic evaluates your situation against the legal frameworks described in this article.

Start diagnostic
Legal information notice: This article provides general legal information and does not constitute personalized legal advice. Only an attorney admitted to the bar can evaluate your specific situation. For a diagnostic, use our diagnostic tool or contact a partner attorney directly.

Don't wait for the platform to act.

Every day your account stays down, evidence becomes harder to gather and deadlines move closer. Start your free diagnostic now.

Start diagnostic