The FBI has issued a warning about a dangerous new phishing campaign called Kali365 that targets Microsoft 365 users and bypasses multi-factor authentication using stolen OAuth device codes. Here’s how the scam works and how you can stay protected.

However, cybersecurity risks that target cloud applications continue to evolve at an increasingly fast pace, and in some cases, multi-factor authentication may no longer be enough to protect consumers. Recently, a new scam has been identified by the US Federal Bureau of Investigation (FBI), known as the “Kali365.” In particular, the scam targets people using cloud-based Microsoft 365 applications such as Outlook, Teams, and OneDrive. One of the most concerning aspects about this attack is that the attacker is able to gain access to the accounts without compromising their password or conducting additional forms of verification.

As reported by the FBI Internet Crime Complaint Center (IC3), the Kali365 phishing scam utilizes OAuth device codes in order to gain access to Microsoft 365 accounts. As per reports by security researchers, this type of scam may become widespread relatively soon, given that it requires less knowledge on part of the attacker compared to conventional cybercrime schemes.

What Is the Kali365 Scam?

Kali365 is a phishing type of cyber attack that leverages the use of the OAuth login system offered by Microsoft. OAuth is an authorization technique that enables applications and software to log in a user account without having his password. This authentication procedure is frequently used for logging into application using Google, Microsoft, and Facebook accounts.

The phishing emails used in this attack contain links to websites created to deceive the victim into allowing access. The criminals steal OAuth authentication codes of a user device, making it possible to hack Microsoft 365 services.

As the authentication procedure goes through authentic Microsoft sites, the user will not suspect anything and will only detect it at a very late stage.

How the Attack Works

The con normally starts with the user receiving an email pretending to come from the trusted cloud collaboration or document-sharing company. It features a device code and requests the user to go through a verification link that leads to the official Microsoft website.

Since the website is legitimate, many users trust the procedure and provide the code. But in reality, the code is tied to the login credentials of the attacker.

Upon providing the device code, the attacker instantly acquires access to all services featured in the Microsoft 365 subscription. Such accounts usually include Outlook email, Microsoft Teams chats, OneDrive cloud storage, and many others.

What makes this particularly threatening is the fact that the attacker does not have to know the password and even skip the multi-factor authentication process because the user confirmed the access request himself.

Why Kali365 Is So Dangerous

Phishing attacks traditionally involve targeting usernames and passwords. Nevertheless, Kali365 is a relatively new type of cybersecurity threat, which utilizes an authentication flow rather than usernames and passwords.

According to the FBI, such attacks have become easier to conduct by unskilled cybercriminals due to machine learning phishing templates, automated attack dashboards, and live tracking. It means that today, even novice hackers can conduct highly targeted attacks using sophisticated tools.

The actions that can be committed following the breach of one's Microsoft 365 account may include:

• Data theft for either business or personal use

• Accessing and analyzing confidential emails and documents

• Ransomware attack

• Financial fraud

• Communication espionage by means of Teams or Outlook apps

For companies, compromising just one Microsoft 365 account can provide unauthorized access to their internal networks and communication systems.

FBI’s Recommendations for Protection

The FBI has suggested that companies and users take steps to protect themselves from any phishing attempt or any unauthorized request for OAuth access.

Conditional Access could be implemented by businesses which use Microsoft 365 to protect themselves against any phishing attempt.

As far as normal users are concerned, awareness is always the key.

Avoid Clicking Suspicious Links

One must never click on links or follow the instructions from any unsolicited emails or texts, whether or not they are sent from reputed corporations. It is better to go directly to the website of the corporation rather than clicking any links that might have been sent in an email from Microsoft or similar organizations.

Carefully Check Email Addresses and URLs

The cyber criminals usually employ false email addresses and false domains that are very similar to legitimate businesses. Misspellings or additional symbols can give away a scam.

It is always important to check the legitimacy of the sender and avoid any communications with him/her if it includes account verification or authorization.

Be Cautious With Attachments and Downloads

Users should avoid opening attachments from unknown senders. Even emails forwarded by familiar contacts should be treated carefully if they contain unexpected files or login instructions.

Monitor Account Activity

Users should regularly review active sessions, connected devices, and login history within their Microsoft accounts. Suspicious sign-ins from unfamiliar locations or devices should be immediately revoked.

What To Do If You Become a Victim

If you suspect your Microsoft 365 account has been compromised through a Kali365 phishing attack, the FBI recommends filing a report with the Internet Crime Complaint Center (IC3).

Victims should include as much information as possible, including:

• Copies of phishing emails

• Email headers and message content

• Suspicious login times and IP addresses

• Unknown devices connected to the account

• Unauthorized active sessions

It is also important to immediately revoke unauthorized sessions, change account passwords, and review account permissions linked to third-party applications.

Growing Threat to Cloud Security

The warning issued by the FBI indicates how cybercriminals are focusing on launching complex authentication-based scams rather than just using passwords as a way to breach security measures. As more and more individuals start incorporating cloud services into their daily activities for both private and business purposes, hackers have turned their attention towards Microsoft 365 due to access to information, email communications, and processes that take place inside the organization.

Similarly, Kali365 is an example that indicates the rise in sophistication and complexity of phishing attacks along with advancements in AI-based tools that make phishing emails much more believable.

Due to the high level of penetration of Microsoft 365 in the business community around the globe, many cybersecurity analysts consider that such OAuth phishing scams might increase in the coming months.