The Federal Bureau of Investigation (FBI) issued an urgent cybersecurity advisory warning public and corporate users about a sophisticated phishing platform named Kali365. This "Phishing-as-a-Service" toolkit specifically targets Microsoft 365 environments—including Outlook, Teams, and OneDrive accounts—allowing attackers to bypass traditional multi-factor authentication (MFA) and gain persistent control. [1, 2, 3, 4]
------------------------------
## 🛡️ How the "Kali365" Attack Works
Unlike traditional phishing schemes that seek to steal a victim's password, Kali365 abuses Microsoft's legitimate OAuth device registration workflow. [5, 6]
1. The Phishing Lure: Victims receive a highly convincing email designed to look like a trusted cloud collaboration or document-sharing service. The lure often mimics fake Microsoft Teams message notifications or secure business voicemail alerts. [2, 7, 8, 9]
2. The Device Code Trick: The email displays a specific alphanumeric code and instructs the recipient to visit a legitimate Microsoft device verification page (such as ://microsoft.com) to insert the code. [2, 7]
3. The Token Hijacking: Because the user enters the code on a real, official Microsoft page, the victim unknowingly authorizes a new device connection. The Kali365 platform instantly intercepts the generated OAuth authentication tokens. [2, 3, 7, 10]
4. Bypassing MFA: With these stolen session tokens, cybercriminals maintain persistent access to the victim's inbox, files, and chat records. They can log in freely without ever needing the account password or triggering subsequent MFA prompts. [3, 4, 7, 10]
------------------------------
## 🛑 FBI Recommended Mitigation Steps
Since traditional MFA is insufficient against session token theft, the FBI advises organizations and users to apply a layered security approach: [3, 4]
* Enforce Conditional Access Policies: Enterprise administrators should create strict policies within Microsoft Entra ID to block or limit device code flows for standard users. [6, 7, 10]
* Disable Cross-Device Auth Transfers: Block the setting that permits users to seamlessly pass or transfer authenticated sessions from personal computers over to mobile devices. [3, 10]
* Protect Emergency Logins: When disabling device code flows company-wide, ensure break-glass or emergency-access admin accounts are excluded to prevent complete system lockouts. [3, 10]
* Audit Active Sessions: Regularly inspect enterprise access logs for unauthorized active sessions, unfamiliar device footprints, or abnormal geolocation logins. [7, 8]
------------------------------
## 📝 What to Do If You're Targeted
If you encounter a suspicious device-link email or suspect your account has been breached, the FBI requests that you file an official cybersecurity incident report through the FBI Internet Crime Complaint Center (IC3). [3, 7]
When submitting, provide as much evidence as possible, including full email header data, the unredacted email body, any unauthorized devices added to your Microsoft account, and the timestamps or IP addresses associated with suspicious login attempts. [3, 7]
[1] [https://www.facebook.com](https://www.facebook.com/fox5dc/posts/the-fbi-is-alerting-the-public-to-a-new-cyber-threat-involving-a-phishingasaserv/1464038702427352/)
[2] [https://www.livenowfox.com](https://www.livenowfox.com/news/fbi-alert-outlook-onedrive)
[3] [https://www.fox10phoenix.com](https://www.fox10phoenix.com/news/fbi-alert-outlook-onedrive)
[4] [https://invenioit.com](https://invenioit.com/security/fbi-microsoft-365-phishing-scam/)
[5] [https://www.inc.com](https://www.inc.com/amaya-nichole/fbi-just-issued-urgent-warning-anyone-using-microsoft-over-new-phishing-scheme/91351360)
[6] [https://www.facebook.com](https://www.facebook.com/fox29philadelphia/posts/the-fbi-is-warning-the-public-about-a-new-phishing-scam-called-kali365-that-allo/1448599040635887/)
[7] [https://www.govtech.com](https://www.govtech.com/security/fbi-issues-scam-warning-for-users-of-microsoft-outlook-teams)
[8] [https://www.facebook.com](https://www.facebook.com/FOX10Phoenix/posts/the-fbi-is-warning-the-public-about-a-new-phishing-scam-called-kali365-that-allo/1324814363186020/)
[9] [https://www.facebook.com](https://www.facebook.com/wfaa/posts/fbi-warning-%EF%B8%8F-a-new-phishing-tool-can-bypass-microsoft-365-multi-factor-authenti/1460840062746813/)
[10] [https://www.kark.com](https://www.kark.com/news/national-news/cyber-attackers-are-hijacking-microsoft-outlook-teams-and-365-log-ins-fbi-says/)
No comments:
Post a Comment