The FBI has issued an urgent warning to Microsoft users after discovering a new hacking service that can bypass common security measures.
In a Public Service Announcement, the agency said cybercriminals are using a platform known as Kali365 to gain access to Microsoft 365 accounts through sophisticated phishing attacks.
Hackers send victims emails that appear to come from trusted services and direct them to a legitimate Microsoft login page. Once the victim follows the instructions, the attackers can obtain special authentication tokens that prove the user has already logged in.
These tokens function like a digital hall pass, allowing hackers to access Outlook, Teams, OneDrive and other Microsoft services without repeatedly entering a password.
Because the tokens are issued after a successful login, cybercriminals can often bypass two-factor authentication and maintain access to accounts for extended periods, according to the FBI.
The FBI is urging organizations to block a Microsoft authentication feature known as ‘device code flow,’ which attackers are exploiting to gain access to accounts.
However, businesses should first review how the feature is being used internally to ensure that legitimate services and workflows are not disrupted.
Users are also urged to watch for fraudulent emails by carefully checking sender addresses, links and the wording of messages for signs of phishing attempts.
Hackers send victims emails that appear to come from trusted services and direct them to a legitimate Microsoft login page. Once the victim follows the instructions, the attackers can obtain special authentication tokens that prove the user has already logged in
‘Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities,’ the FBI stated.
Kali365 is sold to scammers through a $250-per-month subscription.
Cybercriminals begin the attack by sending phishing emails that appear to come from trusted cloud productivity or document-sharing services. The messages contain a device code and instructions directing victims to a legitimate Microsoft verification page.
Believing the request is genuine, victims enter the code on Microsoft’s website. In doing so, they unknowingly authorize the attacker’s device to access their account.
The attackers then capture special authentication tokens, known as OAuth access and refresh tokens, which grant them access to the victim’s Microsoft 365 account.
Once the tokens are stolen, hackers can maintain access to Microsoft services such as Outlook, Teams and OneDrive without needing the victim’s password or having to complete additional multi-factor authentication checks.
The FBI also recommended implementing policies that prevent users from transferring authentication from computers to mobile devices, a method that can be abused by cybercriminals during attacks.
For organizations that cannot fully disable device code flow, the FBI advises exempting emergency access accounts.
This can help ensure administrators are not locked out of critical systems if security controls are tightened.
The FBI urged users to report phishing emails, suspicious login attempts and any unauthorized devices or active sessions linked to their accounts to the Internet Crime Complaint Center.
The agency also warned users not to click on links containing access codes they did not request.
Join the discussion
Should tech companies be doing more to protect users from being hacked?
