FBI Drops Bombshell Warning

The FBI is warning millions of Microsoft 365 users about a sophisticated phishing campaign that allows cybercriminals to hijack accounts without ever stealing passwords.

The bureau said the attacks target users of Microsoft Outlook, Teams and OneDrive by exploiting authentication tokens rather than login credentials, enabling attackers to bypass traditional multi-factor authentication protections.

At the center of the campaign is a phishing platform known as “Kali365,” a subscription-based toolkit that security researchers say has rapidly spread since first emerging in April.

According to the FBI, the platform lowers the technical barrier for cybercriminals by providing AI-generated phishing emails, automated attack templates, real-time tracking dashboards and tools designed to capture Microsoft authentication tokens.

Researchers said the service has been advertised on Telegram for as little as $250 per month or $2,000 annually.

Unlike conventional phishing attacks that attempt to steal usernames and passwords, Kali365 targets OAuth device codes used by Microsoft services.

OAuth tokens allow approved applications to access user accounts without repeatedly requiring passwords.

The FBI warned that once attackers obtain one of these tokens, they can gain access to a victim’s Microsoft 365 account without needing additional login credentials or multi-factor authentication.

The scam begins with a phishing email that appears to come from a legitimate cloud service or Microsoft-related source.

The email instructs recipients to visit Microsoft’s genuine device verification webpage and enter a device code included in the message.

Because the verification page is an authentic Microsoft website rather than a fake phishing page, victims may believe the request is legitimate.

However, entering the code authorizes the attacker instead of the intended user.

The attacker then captures the OAuth authentication token and gains access to the victim’s Outlook email, Microsoft Teams messages, OneDrive files and other Microsoft 365 services.

The FBI said one reason the campaign is particularly effective is that users are not redirected to fraudulent websites or misspelled internet domains that often expose traditional phishing attempts, per Inc.

We don’t spam! Read our privacy policy for more info.

Instead, victims interact with Microsoft’s legitimate login infrastructure while unknowingly granting access to attackers.

Security researchers reported hundreds of Kali365-related phishing attempts during April alone, indicating the campaign has already been widely deployed.

The FBI urged Microsoft users to avoid entering device codes unless they personally initiated the login request.

Officials also advised users to carefully review unexpected authentication requests, even when they originate from legitimate Microsoft webpages.

Users who believe their Microsoft account may have been compromised are encouraged to revoke active sessions, change account credentials, review connected devices and report the incident to the FBI’s Internet Crime Complaint Center.

The bureau said organizations should educate employees about OAuth-based phishing attacks, monitor authentication activity for unusual behavior and review access tokens issued to user accounts.

By Reece Walker

Reece Walker covers news and politics with a focus on exposing public and private policies proposed by governments, unelected globalists, bureaucrats, Big Tech companies, defense departments, and intelligence agencies.

Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x