FBI warns of phishing scam targeting Microsoft 365 accounts

article

(Photo Illustration by Omar Marques/SOPA Images/LightRocket via Getty Images)

The FBI is warning the public about a new phishing scam called Kali365 that lets hackers break into Microsoft 365 accounts and bypass multi-factor authentication, giving them ongoing access to email, files and other services.

Dig deeper:

By subscribing to the Kali365 platform, hackers can steal login tokens that give them ongoing access to a victim’s Microsoft 365 account. 

RELATED: Israeli researchers say Iran behind Los Angeles transit system attack

The service makes it easier for even less-skilled attackers to launch scams by offering AI-generated phishing emails, ready-made attack templates, live tracking tools and token-stealing features

The scam begins with a phishing email that appears to come from a trusted cloud or document-sharing service. The email includes a device code and instructions directing the target to visit a real Microsoft verification page and enter the code.

Once the code is entered, the victim unknowingly gives the attacker permission to access their Microsoft 365 account. The attacker is then able to steal special login tokens that provide access to the account without needing the victim’s password.

With those stolen tokens, the attacker can continue accessing Microsoft 365 services such as Outlook, Teams and OneDrive, often without triggering additional multi-factor authentication checks.

Who is 'Shiny Hunters?' The group responsible for Canvas hack

Canvas, a widely used school learning platform, experienced outages with widespread login issues after being breached by hacking group "Shiny Hunters." LiveNOW’s Austin Westfall discussed the cyber attack and who was behind it, with Doug Levin from K12 SIX.

What you can do:

The FBI says companies can help stop these attacks by limiting or blocking the use of device authentication codes, a feature hackers are exploiting to gain account access.

RELATED: YouTube to add automatic AI labels for undisclosed generated content

Experts recommend setting security policies that block device code logins for most users while allowing exceptions only when necessary. Organizations should also review how the feature is currently being used before making changes.

The FBI also recommends blocking authentication transfers between computers and mobile devices to make it harder for attackers to steal access. If the feature cannot be fully disabled, emergency accounts should be excluded to prevent users from being locked out.

Anyone who believes they may have been targeted by the Kali365 phishing scam should report it to the FBI’s Internet Crime Complaint Center at IC3.gov.

The FBI says reports should include as much information as possible, including phishing emails, suspicious login activity such as times and IP addresses, and any unknown devices or active sessions connected to the account.