FBI warns about Microsoft 365 cyber attacks that don’t need passwords

The FBI has issued a public service announcement (PSA) warning about an emerging phishing scam targeting Microsoft 365 services, including Outlook, Teams, and OneDrive. 

A Phishing-as-a-Service (PHaaS) platform called Kali 365 enables cyber threat actors to obtain Microsoft 365 access tokens and bypass multi-factor authentication (MFA) protocols without intercepting the user’s credentials, such as passwords. 

Through the Kali 365 platform subscription, cyber threat actors can capture “OAuth” tokens and gain persistent access to targeted individuals/entities’ Microsoft 365 environments. 

The FBI warns that Kali 365 is primarily distributed via Telegram and lowers the barrier to entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities. 

An attacker first sends a phishing email impersonating trusted cloud productivity and document-sharing services. The phishing email contains a device authentication code and instructions to visit a legitimate Microsoft verification page. 

If the targeted individual/entity navigates to the real Microsoft page and pastes the device code, they’ll authorize the attacker’s device to access their account. 

The attacker then captures OAuth access and refresh tokens, granting them access to the targeted individual/entities’ Microsoft 365 account. 

This would give the attacker access to Microsoft 365 services such as Outlook, Teams, and OneDrive without needing a password or completing any additional MFA challenges. 

The FBI gives tips for protecting against the scam: 

• • Create a conditional access policy to block device code flow for all users, with limited exceptions for required business processes.
  • Audit existing device code flow usage to identify legitimate dependencies before creating a conditional access policy.
  • Block authentication transfer policies to prevent users from transferring authentication from computers to mobile devices.
  • If you cannot completely restrict device code flow usage, exclude emergency access accounts to prevent lockouts.

The FBI asks anyone impacted by the Kali365 phishing scheme to file a complaint with the Internet Crime Complaint Center (IC3) at www.ic3.gov. Be sure to include any available information, such as: 

• • Phishing emails (email header, body)
  • Suspicious logins (time, IP address, location)
  • Any unauthorized devices or active sessions added to the account

The FBI also suggests individuals and entities learn best practices and mitigations here. 

Last year, cybersecurity officials from StoredTech simulated a phishing cybersecurity attack on a collision repair business during a Collision Industry Conference (CIC) meeting. 

The simulation also walked shops through the damage it could cause a business when not responded to correctly. 

A panel discussion at the 2024 MSO Symposium also focused on how cyber attacks can impact an entire supply chain and the best ways to prevent exposure.

Image

Photo courtesy of anyaberkut/iStock