The FBI is issuing a warning that a new hacking tool enables cybercriminals to take control of Microsoft 365 accounts—such as Outlook, Teams, and OneDrive—without encountering multi-factor authentication.
The agency released a public service announcement recently warning about the "Phishing-as-a-Service" tool called Kali365, which is being utilized to steal Microsoft 365 access tokens and gain access to user accounts without needing to capture passwords.
The government claims that Kali365 allows novice hackers to conduct sophisticated phishing attacks that previously needed significant technical expertise.
The FBI warned that Kali365 reduces the difficulty of entry, offering less-technical attackers access to AI-created phishing lures, automated campaign templates, real-time tracking dashboards for specific individuals or entities, and the ability to capture OAuth tokens.
The tactic takes advantage of Microsoft's valid OAuth 2.0 "device code" authentication process — a method often utilized to access smart TVs, streaming devices, and other hardware that have limited keyboard capabilities.
Instead of directly stealing passwords, hackers persuade victims to input a code on an authentic Microsoft login page, unintentionally granting the hacker's device access.
Keep yourself informed with the latest updates by signing up for the Morning Report Newsletter
"A legitimate authentication method, the device code flow is currently being used by cybercriminals to circumvent multi-factor authentication," stated the FBI in its warning.
By deceiving users into inputting a device code on an authentic Microsoft website, hackers can obtain long-term access to accounts without requiring the user's login details.
Individuals are targeted with phishing emails that mimic legitimate services such as SharePoint, OneDrive, or Microsoft Teams.
The messages direct recipients to go to Microsoft's official device login page and input a temporary verification code.
After the victim finishes the process and successfully passes MFA verification, Microsoft provides legitimate OAuth access and refresh tokens to the attacker.
This enables hackers to gain entry to Outlook inboxes, Teams accounts, and cloud-stored documents without requiring the victim's password in the future.
The FBI cautioned that hackers may retain ongoing access to accounts until the compromised tokens are manually removed.
Matt Burk, the chief information security officer at Bespoke Concierge MD, mentioned to The Post that the attacks have grown more successful due to Microsoft's extensive use of multi-factor authentication, which has compelled hackers to change their methods.
"Because Microsoft has implemented MFA worldwide, this cyber attack method aims to circumvent MFA and eliminate the requirement for a password," he stated.
When asked which industries or employees are most at risk, Burk cautioned that nearly anyone utilizing Microsoft 365 could become a target.
"I truly dislike making generalizations, but it applies to everyone, from a small family-owned business to a major Fortune 500 corporation," he stated.
Burk mentioned that organizations should implement third-party Security Information and Event Management, or SIEM, systems that can identify unusual authentication behavior associated with token theft.
"Employing these tools can identify access similar to the Kali365 attack, and with the right security measures, it can automatically terminate the connection," he stated.
Regular users should recognize the seriousness of the threat, as the attacks focus on cloud-based computing systems that are commonly utilized by both businesses and individuals.
"Everyone should be worried about this incident," Burk stated.
Cybersecurity experts claim that the rise of Kali365 represents a significant increase in the expanding "phishing-as-a-service" underground market, where advanced hacking tools are offered to less experienced criminals through subscription models on Telegram and dark web communities.
The agency stated that Kali365 was initially detected last month and has quickly gained traction within cybercrime circles.
The system streamlines phishing operations and offers dashboards that enable hackers to track targets instantly.
Federal officials stated that the operation is a part of a larger series of attacks aimed at Microsoft 365 systems around the world.
Scattered Spider, alternatively referred to as Octo Tempest, is a well-known cybercriminal organization from England that specializes in forceful social engineering tactics and SIM card takeover operations aimed at major companies.
Another organization, Storm-2949, has concentrated on targeting IT administrators and top executives by exploiting Microsoft password reset systems and cloud authentication services.
The Washington Post has requested input from Microsoft.
No comments:
Post a Comment