You’ll want to be careful before signing in to your Microsoft 365 account from an outside prompt, even if you’re vigilant. The FBI says a new scam based on the Kali365 phishing-as-a-service platform can bypass multi-factor authentication (MFA) by tricking users into approving legitimate Microsoft logins.
According to a public service announcement, hackers are exploiting a system Microsoft put in place to enable MFA for hardware with limited input, such as smart TVs and streaming media players. The intruders start the authentication process and use phishing or social engineering to persuade users to enter the short device code on a real Microsoft website. After they do, Microsoft’s system supplies an access token that lets perpetrators hijack accounts without completing the MFA solutions themselves.
OS
Windows, macOS, iPhone, iPad, Android
Brand
Microsoft
Attackers can also use browser cookies to steer you through an infrastructure that they control, but forwards requests to the real Microsoft login page. You won’t see any obvious signs of trouble.
The move lets hackers access apps and data tied to Microsoft 365 accounts, including OneDrive files, Outlook emails, and third-party tools like Salesforce. They can also register new devices at will. Some of the culprits have used Outlook to mask their behavior through custom mailbox rules.
Security researchers at Arctic Wolf detailed the campaign in April and noted that some of Kali365’s danger comes from its sheer ease of use. It’s relatively simple to create AI-generated phishing lures, templates, and even victim tracking systems. Even “less-technical” hackers can do serious damage, according to the FBI notice.
Most of the people abusing Kali365 are sharing it through secure Telegram chats, Arctic Wolf and the FBI explain.
What you can do to protect your Microsoft 365 account
Watch for certain email subject lines
As an individual, your best solution is to watch for and ignore certain email subject lines. The Kali365 phishing scams are so far based around eight fixed templates that are only partly customized, according to Arctic Wolf. They include:
- SharePoint – Document Shared: {sender_name} shared a file with you
- OneDrive – File Shared: {sender_name} shared “Document” with you
- Teams – New Message: {sender_name} sent a message in [[company]]
- Microsoft 365 – Voicemail: Voicemail from {sender_name} – [[date]]
- DocuSign – Signature Required: {sender_name} requested your signature
- Invoice Notification: Invoice #INV-[[date]] for [[company]]
- Adobe Acrobat Sign – Agreement: Action required: [[company]] agreement from {sender_name}
- Account Security Notification: Account notification for [[email]]
The lures tend to involve Excel, PDF, PowerPoint, and Word files, although there are numerous layouts and design themes meant to look plausible.
Related
New PayPal Scam Uses Real Emails—Here’s How to Avoid It
A legitimate email makes this one even harder to spot.
The most effective safeguards are for business and government accounts, the FBI says. IT managers can block device codes when they’re not absolutely necessary, and bar users from moving their authentications from PCs to mobile devices. Security experts also recommend excluding emergency accounts from device codes to avoid complete lockouts.
Device code-based attacks have become increasingly common and aren’t limited to Kali365. Phishing services like EvilTokens and Tycoon2FA are also in use to hijack Microsoft 365, Bleeping Computer explains. Effectively, you can’t assume that these scams will be relatively obvious.
