Cyber attackers are hijacking Microsoft Outlook, Teams and 365 log-ins, FBI says

The FBI warned Thursday about a new phishing platform, Kali365, enabling cyber attackers to access Microsoft 365 accounts without passwords or multi-factor authentication. First detected in April, Kali365 is distributed primarily through Telegram and uses AI-generated phishing emails impersonating trusted services. Victims are tricked into entering device codes on legitimate Microsoft verification pages, authorizing attackers to capture authorization tokens for Outlook, Teams, and OneDrive. The attack begins with a phishing email containing a device code and instructions to visit Microsoft’s verification page. Once entered, the code grants attackers access to the victim’s account, allowing them to bypass security measures. The FBI notes that Kali365 simplifies account takeover for unskilled attackers, enabling real-time targeting and tracking of individuals. To mitigate risks, the FBI recommends creating conditional access policies to block device code flow, reviewing current access permissions, and restricting authentication transfers between devices. It also advises excluding emergency access accounts to prevent lockouts. Microsoft supports these measures and adds best practices, including recognizing phishing attempts, avoiding unknown file attachments, and keeping software updated. Microsoft stated it is actively working to disrupt cybercriminal networks behind phishing-as-a-service and account takeover schemes to protect users. The company aligns with the FBI’s guidance while emphasizing proactive security measures to prevent unauthorized access.