FBI Issues Urgent Warning For Microsoft 365 Users: Kali365 Phishing Kit Bypasses MFA

hero ms365 phishing
A particularly ingenious phishing attack against Microsoft 365 users has caught the FBI's attention, courtesy of Kali365. The new attack, which utilizes the Kali365 Phising-as-a-Service (PhaaS) platform, bypasses multi-factor authentication (MFA) without the need to steal user credentials at all. The way it's done is through a phishing email containing a malicious device code tied to the attacker's PC, and a link to Microsoft's legitimate Device Authorization page. By tricking users into adding a malicious device to their account's Device Authorization page, OAuth access and refresh tokens can be stolen and used to access the user or business entity's Microsoft 365 account without the need to steal any credentials.

ms365 deviceregister
The attack will direct you to Microsoft's legitimate Authorized Devices functionality.

The scope of known attacker activity and the unconventional nature of the attack prompted the FBI to post an official Public Service Announcement warning against the threat. The FBI's tips to secure against the attack include creating a conditional access policy to block device code flow for all users with limited exceptions, auditing existing device code flow usage to identify where it's actually needed, blocking authentication transfers from PCs to mobile, and excluding emergency access accounts to prevent potential lockouts. The FBI also, of course, encourages those who spot the attacks in the wild to report all relevant information to the Internet Crime Complaint Center (IC3) at IC3.gov.

It's certainly a dangerous attack, though we do reckon it's somewhat unlikely that tech-savvy users will fall for it. Manually adding device codes to Microsoft's Authorized Devices is an extremely fringe use case, and potential victims should notice that their devices are already authorized to access the accounts in question thanks to already being signed in. But there's always the chance of catching an otherwise-savvy user on a rainy day, or getting lucky enough for the phishing email to land in the hands of someone prone to panic and follow instructions without question. Statistics suggest that an overwhelming majority of cyber attacks happen due to human error, after all.

Image Credit: geralt on Pixabay
Chris Harper

Chris Harper

Christopher Harper is a tech writer with over a decade of experience writing how-tos and news. Off work, he stays sharp with gym time & stylish action games.