FBI Warns Kali365 Phishing Kit Is Stealing Microsoft OAuth Tokens at Scale
The FBI says the service uses device-code phishing and adversary-in-the-middle tactics to bypass multi-factor authentication and steal session data.
- The FBI issued a public service announcement warning about Kali365, a phishing-as-a-service platform on Telegram targeting M365 users to steal OAuth tokens at alarming rates.
- Researchers identified three distinct subscription tiers for the platform, with The Admin Tier reserved for developers and The Agent Tier enabling resellers to manage branded panels.
- Kali365 enables attackers to impersonate "trusted cloud productivity and document-sharing services" like Adobe Acrobat Sign, DocuSign, and SharePoint, according to Arctic Wolf. The platform uses AitM capabilities to proxy browser sessions and bypass Microsoft MFA.
- Tanmay Ganacharya, VP of security research at Microsoft, told The Register, "We continue to observe high-volume activity," with campaigns targeting hundreds of organizations using unique payloads that challenge defenders' detection efforts.
- Both Arctic Wolf and the FBI recommend organizations implement conditional access policies to block device code flow and authentication transfer policies on PCs and phones to mitigate compromise risks.
12 Articles
12 Articles
FBI warns about fast-growing phishing kit targeting Microsoft 365 users
The FBI is warning organizations and defenders about Kali365, a growing phishing-as-a-service platform that retrieves Microsoft 365 access tokens, issuing a public service announcement Thursday. The toolkit bypasses multi-factor authentication and abuses OAuth device code authorizations via phishing lures impersonating common enterprise services. This technique grants cybercriminal-controlled applications access to Microsoft 365 accounts, openi…
FBI warns Kali365 phishing kit is stealing Microsoft OAuth tokens at scale
The FBI has issued a public service announcement warning about a new phishing kit that's stealing Microsoft OAuth tokens at an alarming rate. OAuth token theft is a serious headache for organizations because stolen tokens can bypass multi-factor authentication (MFA) and grant access to privileged accounts within an organization without needing to know their credentials. Think corporate espionage, data theft, maybe even ransomware. The main culpr…
FBI warns of Kali365 phishing-as-a-service after April Microsoft 365 attacks
The law enforcement agency published an advisory on Thursday about Kali365 — a Telegram-based service for cybercriminals that allows them to capture legitimate "OAuth" tokens enabling widespread access to Microsoft 365 environments.
CSO Online
FBI warns of Kali Oauth stealers
The FBI has warned of the danger from a new wave of phishing attacks generated by a tool called Kali365. It enables cyber criminals to obtain Microsoft 365 access tokens and bypass multi-factor authentication (MFA) protocols without intercepting the user’s credentials by capturing Oauth tokens linked to the victim’s Microsoft 365 account. The scam works in a similar way to most phishing attacks. An attacker sends an email purporting to be from a…
Stealing a password? It almost became an accessory. The FBI has launched an alert on Kali365, a hack kit that enters a company's Microsoft 365 accounts without ever needing the password, nor the famous double authentication code. The protection that many imagine is no longer of great use here. Alas. Kali365 is not a classic virus. This is called a rental phishing kit: a turnkey service, sold a little like a subscription to a software, except tha…
Coverage Details
Bias Distribution
- 100% of the sources are Center
Factuality
To view factuality data please Upgrade to Premium
