If your dealership uses Microsoft 365 for email, file sharing, Teams chats, or day-to-day operations, the FBI’s latest warning deserves your attention.
A new phishing toolkit called “Kali365” is helping cybercriminals break into Microsoft 365 accounts in a way that bypasses traditional passwords and even multi-factor authentication (MFA).
That’s the part dealership executives need to understand: this isn’t the old-fashioned phishing attack where someone simply steals a password. Attackers are now stealing the digital “session tokens” that prove a user already logged in successfully. Once they have those tokens, they can access email, files, Teams conversations, OneDrive data, and other Microsoft 365 services without triggering another login challenge.
And unfortunately, dealerships are attractive targets.
Why Dealerships Should Care
Modern dealerships operate heavily inside Microsoft 365 environments. Sales conversations, customer information, deal jackets, financial documents, HR records, and vendor communications often flow through Outlook, Teams, SharePoint, and OneDrive every day.
That makes Microsoft 365 a goldmine for cybercriminals.
The FTC already considers dealerships financial institutions under the Safeguards Rule. That means dealerships are expected to maintain a comprehensive information security program designed to protect customer information.
The challenge is that cybercriminals are evolving faster than many dealerships realize.
The FBI says tools like Kali365 are lowering the barrier to entry for attackers by offering “Phishing-as-a-Service.” In simple terms, criminals no longer need advanced hacking skills. They can essentially subscribe to sophisticated phishing platforms that provide templates, dashboards, AI-generated phishing emails, and automated attack tools.
That means more attackers. More phishing attempts. More convincing scams.
“But We Have MFA Enabled…”
This is one of the biggest misconceptions we see during dealership cybersecurity assessments.
Many dealership leaders believe enabling MFA means they are fully protected. MFA is extremely important and absolutely should be enabled. But modern attackers are increasingly finding ways around basic MFA deployments.
In these newer attacks, users may unknowingly authorize a malicious login request through what appears to be a legitimate Microsoft page. Once the user approves it, the attacker captures the authentication token and gains ongoing access.
In other words, the attacker isn’t “breaking in” anymore. They’re logging in. That’s a major shift in how dealership cybersecurity must be approached.
Why This Matters So Much for Dealerships
Once a Microsoft 365 account is compromised, attackers can often:
- Monitor internal email conversations
- Launch Business Email Compromise (BEC) attacks
- Steal customer and financial data
- Access sensitive HR records
- Send phishing emails from trusted employee accounts
- Move laterally through cloud applications and dealership systems
- Prepare for ransomware deployment
And because these attacks often use legitimate authenticated sessions, they can be difficult to spot without advanced monitoring and cybersecurity expertise.
This is one of the reasons dealerships can no longer rely solely on traditional IT support to protect the organization.
The Growing Risk of Identity-Based Attacks
Cybersecurity experts increasingly describe “identity” as the new security perimeter.
Why?
Because attackers have realized it’s often easier to trick users and steal authenticated sessions than it is to exploit firewalls or break through traditional network defenses.
Microsoft researchers have also warned about the growing use of AI-enabled phishing campaigns that automate and scale these attacks.
For dealerships, this means cybersecurity programs must evolve beyond basic antivirus software and simple MFA deployments.
Modern defense requires:
- Properly configured and managed MFA
- Continuous monitoring of Microsoft 365 activity
- Detection of suspicious login behavior
- Conditional access policies
- Security awareness training
- Advanced email protection
- 24/7/365 threat monitoring and response
- Regular cybersecurity assessments
- Experienced cybersecurity professionals actively managing the environment
Most importantly, it requires ongoing management.
Cybersecurity is no longer something dealerships can “set and forget.”
The Bottom Line
The FBI’s warning about Kali365 is another reminder that cyber threats are evolving rapidly — and dealerships are firmly in the crosshairs.
The days of relying on passwords alone are long gone.
Unfortunately, the days of relying on basic MFA configurations alone may be fading as well.
Dealerships need a layered, actively managed cybersecurity strategy that assumes attackers are constantly looking for ways to exploit users, identities, and cloud platforms like Microsoft 365.
Because in many cases, the cybercriminal isn’t trying to smash through the front door anymore.
They’re quietly walking in with what appears to be legitimate access.
