The FBI is alerting corporate America to the existence of a potent new tool that hackers can use to access Microsoft email accounts without ever requiring a password.
According to federal investigators, hackers are progressively taking control of Microsoft 365 accounts, such as Outlook, Teams, and OneDrive, by utilizing a phishing platform called Kali365. This allows hackers to get over the multi-factor authentication safeguards that millions of organizations depend on on a daily basis.
By enabling even relatively novice hackers to launch sophisticated phishing assaults using automated tools, AI-generated scam emails, and real-time victim tracking dashboards, the platform significantly reduces the barrier for cybercrime, according to an FBI public advisory.
The FBI issued a warning, stating that “Kali365 lowers the barrier of entry” and that the toolkit provides attackers with “OAuth token capture capabilities” that can grant them long-term access to victim accounts.
The new assaults take advantage of Microsoft’s genuine “device code” login method, which is frequently used to enter into smart TVs, streaming gadgets, and other gear with limited keyboards, in contrast to conventional phishing scams that attempt to collect credentials directly.
Usually, victims get emails that seem to be from reliable Microsoft services like Teams, OneDrive, or SharePoint.
Users are instructed by the messages to go to an actual Microsoft login site and input a temporary code.
However, people unintentionally authorize the hacker’s device rather than their own by inputting that code.
The FBI is alerting people about a potent new tool that hackers can use to access Microsoft email accounts without ever requiring a password (stock picture).
Microsoft gives the attacker legitimate access tokens after the victim completes the procedure, including any multi-factor authentication checks. This enables the attacker to access cloud files, email inboxes, and collaboration tools without ever requiring the user’s password.
The FBI cautioned that until the stolen authentication tokens are manually canceled, hackers may continue to have persistent access to accounts.
“This method of cyber attack is designed to bypass MFA and the need for a password since Microsoft has globally enforced MFA,” Matt Burk, chief information security officer at Bespoke Concierge MD, told The Post. Cybersecurity experts say the attacks are particularly concerning because they abuse legitimate Microsoft infrastructure, making them much harder to detect.
“I absolutely hate to generalize, but everyone from a small mom-and-pop business to a large Fortune 500 company,” Burk stated. Researchers claim that almost anybody using Microsoft 365 might be targeted, from small enterprises to Fortune 500 corporations.
According to the FBI, the Kali365 platform originally surfaced last month and quickly expanded through Telegram channels and cybercrime forums as part of the thriving “phishing-as-a-service” underground market, where low-skilled criminals purchase hacking tools through subscriptions.
Similar efforts have already targeted hundreds of organizations in the US, Canada, Europe, and Australia, including companies in the healthcare, manufacturing, education, banking, and government sectors, according to security firms Arctic Wolf and Huntress.
The assaults are a part of a larger trend of cybercrime targeting Microsoft 365 systems.
The new attacks take advantage of Microsoft’s authentic “device code” login system, in contrast to conventional phishing scams that attempt to acquire credentials directly.
The attacks are a part of a larger wave of cybercrime targeting Microsoft 365 environments, which have become a prime target due to the software’s extensive integration with contemporary workplaces.
According to experts, businesses should use sophisticated security technologies that can identify the use of stolen tokens and keep an eye out for questionable authentication activities.
Cybersecurity experts advise regular users to exercise extreme caution when they get unsolicited emails asking for device login verification credentials, even if the URL looks to be a genuine Microsoft website.
According to the FBI, users should report unusual login requests right away and should never enter authentication tokens received through unexpected emails or messages.
