The FBI issued a warning on May 21, as a new AI-powered attack enables “threat actors to obtain Microsoft 365 access tokens and bypass multi-factor authentication (MFA) protocols without intercepting the user’s credentials.”
Dubbed Kali365, this phishing-as-a-service threat was first discovered last month. The FBI released its public service announcement “to warn the public” that these attacks use Microsoft’s authentication infrastructure to steal user credentials.
The new phishing-as-a-service platform is distributed via every hacker’s favorite messenger — Telegram. But the attack will come at you via email. “Kali365 lowers the barrier of entry,” the bureau says, “providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities.”
If you’re targeted, you’ll first see an email “impersonating (a) trusted cloud productivity (or) document-sharing services.” This will include a device code “with instructions to visit a legitimate Microsoft verification page and enter the code.”
You then “navigate to the real Microsoft page and paste in the device code,” at this point you’re sharing your OAuth access code with the attacker, who can then use these on their own machine, gaining access to your Microsoft 365 account.
The FBI warns that once that’s done, “the attacker can now access Microsoft 365 services such as Outlook, Teams, and OneDrive without needing a password or completing any additional MFA challenges.”
Most mitigation for this sit at the enterprise level. Blocking device authentication or creating conditional access policies “can help prevent or limit this style of attack.” But for everyday users, understanding that credentials can be stolen in this way and then used to access your services on an attacker’s machine is critical.
Per Proofpoint, “device code phishing is exploding across the threat landscape, with new device code phishing tools emerging every week. The spike in device code phishing coincides with publicly released criminal toolkits, and the emergence of multiple phishing-as-a-service (PhaaS) offerings.”
As such, apply the usual discipline. Do not follow links to sites for documents you’re not expecting. Be wary of any email that prompts an action or includes a link. Check the validity of the email before clicking on anything.
