The FBI is warning about a new phishing platform that allows cybercriminals to hijack Microsoft 365 accounts and bypass multi-factor authentication protections.
In a public safety announcement issued May 21, the FBI said the phishing-as-a-service platform known as Kali365 is being used to steal Microsoft 365 access tokens, giving attackers access to services such as Outlook, Teams and OneDrive without needing victims’ passwords.
The FBI said the tool was first observed in April and has primarily been distributed through Telegram, where it is reportedly offered for as little as $250 per month.
According to the FBI, victims receive phishing emails posing as SharePoint, OneDrive or Microsoft Teams notifications that direct them to Microsoft’s legitimate device login page and instruct them to enter a temporary authentication code.
Once the victim completes the process and passes multi-factor authentication checks, Microsoft issues OAuth access and refresh tokens directly to the attackers, allowing them to access Outlook inboxes, Teams accounts and cloud-stored files without needing the victim’s password.
Once the tokens are compromised, attackers can continue accessing Microsoft services without repeatedly logging in as long as the token remains active.
Matt Burk, chief information security officer at Bespoke Concierge MD, told the New York Post that nearly anyone using Microsoft 365 could be vulnerable to the attacks.
“I absolutely hate to generalize, but everyone from a small mom-and-pop business to a large Fortune 500 company,” he said. “Everybody should be concerned with this exploit.”
Burk advised organizations to use third-party Security Information and Event Management systems to detect suspicious authentication activity linked to token theft. “Using these tools can detect access like the Kali365 exploit and with the correct security features can automatically shut down the connection,” he said.
To protect against the attack, the FBI said organizations should create a conditional access policy to block device code flow for all users, with limited exceptions for required business processes.
It also advised auditing existing device code flow usage to identify legitimate dependencies before implementing such a policy.
The bureau also recommended blocking authentication transfer policies to prevent users from transferring authentication from computers to mobile devices. If device code flow cannot be fully restricted, the FBI said emergency access accounts should be excluded to prevent lockouts.
The FBI urged users to report suspicious login attempts, phishing emails, unauthorized devices or active sessions added to accounts to the Internet Crime Complaint Center.
Meanwhile, Microsoft said it is “actively working to disrupt the cybercriminal ecosystems behind phishing-as-a-service and account takeover activity to protect our customers.”
