The FBI warns Microsoft 365 services are being bombarded with new phishing emails here are 3 steps you can take to stay safe
Date:
Thu, 28 May 2026 16:28:43 +0000
Description:
Kali365 is abusing legitimate Microsoft login mechanisms to hijack Outlook, Teams, and OneDrive services.
FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter The FBI has warned of a new Phishing-as-a-Service (PhaaS) kit that is targeting Microsoft 365 accounts in a complex but easily accessible campaign.
The Kali365 PhaaS service allows hackers to gain persistent access to Microsoft 365 environments by stealing OAuth tokens using AI-generated phishing emails that direct users to legitimate Microsoft verification pages. Once the attacker holds the OAuth token, they can access Outlook, Teams, and OneDrive services without having to complete any additional verification or authentication mechanisms. Latest Videos From You may like FBI warns of Kali phishing scam hitting Microsoft OAuth tokens How businesses can defend themselves against the rise of phishing as a service Microsoft warns hackers are exploiting password resets to gain access to user accounts
Phishing campaigns such as these rely on human-error in order to breach accounts, but luckily there are multiple steps to take to keep accounts and wider Microsoft 365 environments safe. Here are 3 ways businesses can protect themselves against the Kali365 PhaaS campaign: 1. Phishing Vigilance Phishing emails come in a range of formats. They can be interview invites, document access requests, and everything in between. Hackers are using AI tools to
make highly convincing phishing emails that can slip past spam detection filters and blend in with regular email traffic.
IT administrators should pay attention to the latest guidance provided from intelligence feeds on phishing email trends and ongoing campaigns. Additionally, staff can be trained to spot and report phishing emails through regular simulations that mimic the real world Tactics, Techniques and Procedures (TTPs) being used by hackers.
Users should also remain vigilant against unexpected Microsoft account authentication requests, especially when the user has not made an attempt to log in. Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over. 2. Conditional Access Policies The FBI recommends enabling conditional access policies that block device code flow for all users. Blocking device code flow prevents the main Kali365 OAuth code interception from working.
In the Kali365 attack workflow, the hacker will submit a pre-generated device code from their device alongside a legitimate Microsoft verification page.
The code submitted by the attacker is then typed into the authentication page by the victim, authorizing the attackers login to the victim's account. The attacker then steals OAuth access and refresh tokens to access Outlook,
Teams, and OneDrive without the need for a password or authentication.
By blocking this authentication method, even if a victim falls for the phishing email and enters the code, the attackers login will fail. What to read next Microsoft flags major phishing campaign targeting 35,000 users across 26 countries Microsoft phishing threat report shows 146% surge in quishing The vast majority of phishing attacks are now generated by AI, experts warn
But before applying a universal device code flow block, make sure to audit existing usage to identify where device code flow authentication is being
used legitimately. Blocking legitimate usage could disrupt day-to-day operations in some circumstances. 3. Block Authentication Transfer Policies
In order to make life easier for 365 users, Microsoft included an option to allow a user to use a trusted device to scan a QR code displayed on a
separate device to authenticate a login.
However, this convenient feature makes it easier for attackers to
authenticate their own authentication on a victims account once they have stolen OAuth tokens. Once provided access to a victims account, the attacker can use their newly trusted device to authenticate their own account access requests.
By blocking authentication transfer policies , not only does it stop
attackers from authenticating their own sessions, it can also help to prevent employees from logging in to unmanaged personal devices that can put company data at risk. Expert Guidance Deborah Galea, Cybersecuity Expert at Filigran, commented on the Kali365 attacks:
Phishing-as-a-Service (PhaaS) platforms like Kali365 are becoming more and more common, which is turning hacking into a highly commercialised subscription business. This means that bad actors can now utilise these ready-made kits rather than building infrastructure from scratch, significantly lowering the barrier to entry."
Kali365 is especially dangerous since it bypasses Multi-Factor Authentication (MFA) without stealing credentials and allows hackers to hijack Microsoft 365 accounts. "Kali365 is especially dangerous since it bypasses Multi-Factor Authentication (MFA) without stealing credentials and allows hackers to
hijack Microsoft 365 accounts. We advise companies to implement preventative measures such as restricting device code flow, blocking authentication transfer, and implementing Phishing-Resistant MFA. Andrea Sivieri,Chief Product and Technology OfficeratCoreView, also commented:
"The FBI warning on Kali365 confirms a pattern we have been seeing in enterprise Microsoft 365 environments for months. Attackers are no longer breaking into Microsoft 365, they are logging in, using features Microsoft built for legitimate purposes. Device code flow exists for a good reason, it is how smart TVs and IoT devices sign you into your account. The attackers have simply realised it makes a beautiful phishing primitive, because the
user is the one who clicks 'approve' on a real Microsoft page. MFA cannot
save you from a flow where the user does the MFA themselves."
The depressing part is that the FBI's top recommendation, blocking device
code flow through conditional access policy, is something any Microsoft 365 administrator could turn on this afternoon. "The depressing part is that the FBI's top recommendation, blocking device code flow through conditional
access policy, is something any Microsoft 365 administrator could turn on
this afternoon. The reason most organisations havent done this is because conditional access in a real-world tenant, is a sprawl of policies edited by twenty different people over five years. Nobody is quite sure what blocking one flow will break. So the policy stays open, and the attackers stay in business."
"There is a bigger lesson here for any organisation running its business on Microsoft 365. The next breach at a large enterprise will not start with a hacker exploiting a vulnerability. It will start with an employee being
asked, very politely, to perform a legitimate action inside a legitimate Microsoft product. The defence is not better technology, it is real-time visibility into what is actually changing inside the tenant, and the discipline to revisit the security policies that quietly age out."
======================================================================
Link to news story:
https://www.techradar.com/pro/security/the-fbi-warns-microsoft-365-services-ar e-being-bombarded-with-new-phishing-emails-here-are-3-steps-you-can-take-to-st ay-safe
--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)