CyberheistNews Vol 16 #24 [FBI Alert] Lock Down Your Microsoft 365 Device Code Flows Now

[FBI Alert] Lock Down Your Microsoft 365 Device Code Flows Now

The U.S. Federal Bureau of Investigation (FBI) has warned that a new phishing-as-a-service (PhaaS) platform called "Kali365" is targeting OAuth tokens to gain direct access to users' Microsoft 365 accounts without stealing credentials or multifactor authentication codes.

"Through the Kali365 platform subscription, cyber threat actors can capture 'OAuth' tokens and gain persistent access to targeted individuals or entities' Microsoft 365 environments," the Bureau says. "Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities."

According to the FBI, the attack proceeds as follows:

• Lure: An attacker sends a phishing email impersonating trusted cloud productivity and document-sharing services. This phishing email contains a device code with instructions to visit a legitimate Microsoft verification page and enter the code.
• Authorization: The targeted individuals/entities navigate to the real Microsoft page and pastes in the device code, unknowingly authorizing the attacker's device to access their account.
• Token Theft: The attacker captures OAuth access and refresh tokens, granting them access to the targeted individuals/entities' Microsoft 365 account.
• Persistence: The attacker can now access Microsoft 365 services such as Outlook, Teams and OneDrive without needing a password or completing any additional MFA challenges.

The Bureau recommends that organizations lock down their device code flows to limit or block device authentication codes unless absolutely necessary. Employee awareness training also helps users recognize phishing attempts so they can thwart these attacks from the start.

Blog post with links:
https://blog.knowbe4.com/fbi-kali365-phishing-kit-targeting-microsoft-365

Why Your DLP Is Failing and What to Do About It

Insider-related incidents now cost organizations $19.5 million annually.

That figure is up 20% in two years—and legacy DLP isn't closing the gap. From accidental mis-deliveries and malicious theft to employees pasting sensitive data into unauthorized Shadow AI tools, a single breach can cause catastrophic damage.

With misdirected emails and unvetted AI usage driving modern security incidents, it's time for intelligent, context-aware data security.

Join Erich Kron, KnowBe4 CISO Advisor, as he deconstructs the hidden risks inside your email environment and shows you a fundamentally different approach to data protection — one built around user intent and behavioral context, not rigid rules and reactive blocks.

You'll learn how to:

• Use behavioral AI to identify risky behaviors and stop mistakes or malicious actions in real time.
• Protect your proprietary and sensitive data from exposure to unapproved Shadow AI tools without disrupting productivity.
• Eliminate mis-delivery errors and safeguard sensitive data automatically.
• Explore tools to assess your users' risk levels and gain full audit visibility for compliance.
• Use contextual nudges to create teachable moments that improve security awareness across your workforce.

Join us and find out how you can proactively prevent data loss while building a more security-conscious culture in your organization and earn CPE credits for attending!

Date/Time: TOMORROW, Wednesday, June 17, @ 2:00 PM (ET)

Save My Spot:
https://info.knowbe4.com/why-your-dlp-is-failing?partnerref=CHN2

Visa: "Now AI-Enabled Social Engineering Attacks Are the No. 1 Fraud Category"

Threat actors are increasingly using AI-enabled social engineering to get around technical security measures, according to a new report from Visa.

Social engineering attacks were behind the largest number of losses in the second half of 2025. "From July to December 2025, Visa identified nearly $1 billion in scam-related activity, making scams the single largest category of consumer payment fraud," Visa says.

"Unlike traditional fraud, these attacks typically do not require breaching technology. Instead, scammers impersonate trusted brands and institutions, manufacture urgency and deceive victims into completing legitimate-looking transactions."

The report also found that ransomware attacks rose by 26% in the second half of 2025, though the number of victims who paid the ransom fell to the lowest on record. Visa believes this reflects "improving resilience and recovery capabilities, as well as a reluctance to pay when data could still be leaked, regardless of payment."

Michael Jabbara, SVP, Payment Ecosystem Risk and Control at Visa, stated, "The rapid adoption of AI has fundamentally lowered the barrier to entry for fraud. What once required deep technical skill can now be executed with a prompt.

"That reality makes intelligence-driven defenses and coordinated action across the ecosystem more critical than ever."

Paul Fabara, Visa's Chief Risk and Client Services Officer, added, "Payments at a network level continue to get safer, but threats are evolving faster than ever. Criminals are increasingly targeting people rather than technology, using deception, urgency and AI-enabled tools to exploit trust.

"Addressing this shift requires continuous innovation at the network level and close collaboration across banks, merchants, policymakers and the broader payments ecosystem."

Blog post with links:
https://blog.knowbe4.com/report-ai-enabled-social-engineering-attacks-are-on-the-rise

Email and Messaging Security That Understands You

Email is your riskiest channel for attacks and data loss. Nearly 58,000 threats slip past traditional defenses every day. They're not occasional. They're persistent, high-volume and growing more sophisticated with AI.

See how you can stop up to 97% more attacks and uncover 10 times more potential data breaches before they happen.

Join this live demo of KnowBe4’s Cloud Email Security to see how you can detect the full spectrum of inbound threats and outbound data loss, and coach your workforce in real time against every threat.

We will showcase:

• Self-Serve DLP Rule Builder: Easily build and manage custom rules to stop outbound data leaks.
• Misdirected Content Analysis: Smarter AI that understands context to catch errors before sensitive data goes to the wrong recipient.
• NEW! Microsoft Teams Messaging Security: Extending defense beyond the inbox to monitor external chats, block threats and harden collaboration settings.
• Teachable Security Moments: Real-time coaching that fixes risky user behavior in the moment.

Your defenses are only as strong as your weakest entry point. Don't let email be it.

Date/Time: Wednesday, June 24, @ 2:00 PM (ET)

Save My Spot:
https://info.knowbe4.com/ces-demo-3?partnerref=HS

A Look at Spam vs. Phishing: 4 Key Differences

Great inspiration for creating user-facing security awareness content!

Spam and phishing are often used interchangeably in email security, but they serve distinct purposes and carry varying levels of risk. Understanding the difference between spam vs. phishing helps organizations better recognize threats and respond appropriately.

This guide breaks down how spam and phishing differ, how to identify each and what steps organizations can take to reduce risk.

Key Takeaways:

• Spam emails are unsolicited and typically promotional, while phishing emails are designed to deceive users into taking risky actions.
• The key difference between the two is intent: spam promotes, phishing manipulates.
• Phishing poses a higher risk because it can lead to credential theft, financial loss and broader system exposure.
• Spam is usually generic and low-pressure, while phishing messages often create urgency and mimic trusted sources.
• Effective defense requires both technical controls and user training to improve how threats are recognized and handled.

[CONTINUED] Blog post with links:
https://blog.knowbe4.com/a-look-at-spam-vs.-phishing-4-key-differences

[Virtual Summit] Secure Every Human & AI Agent

You're invited! Join us for the Workforce Security Summit on July 8 to see what securing both your humans and AI agents looks like in practice.

The workforce has changed, your security strategy needs to catch up. AI agents are proliferating across your organization. Attackers are weaponizing deepfakes and AI-powered social engineering against your people. The old playbook wasn't built for a workforce that is no longer purely human.

Here's what you'll walk away with:

• Look to the future of AI-native security: Join CEO Bryan Palma for a look at the future of digital workforce security and the innovation shaping what comes next
• Know your threat. Own your defense. Walk away confident you have the knowledge and tools to defend against the threats targeting your people and agents — deepfakes, AI-powered phishing, voice cloning and more
• See what’s coming on the KnowBe4 Platform roadmap and get an exclusive inside look at what’s next

Date/Time: Wednesday, July 8 @ 1:00 - 3:00 PM ET

Save My Spot:
https://www.knowbe4.com/workforce-summit-na?partnerref=CHN

Let's stay safe out there.

Warm regards,

Stu Sjouwerman, SACP
Executive Chairman
KnowBe4, Inc.

PS: KnowBe4 Wins Multiple 2026 TrustRadius Top Rated Awards:
https://blog.knowbe4.com/knowbe4-wins-multiple-2026-trustradius-top-rated-awards

PPS: [For your CMO] Yours Truly in Forbes "Five Patterns Leading To An Impending Revenue Miss":
https://www.forbes.com/councils/forbestechcouncil/2026/06/09/five-patterns-leading-to-an-impending-revenue-miss/

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-16-24-fbi-alert-lock-down-your-microsoft-365-device-code-flows-now

APWG Report: Social Media Phishing Is Surging

Phishing scams surged across social media platforms during the first quarter of 2026, according to a new report from the Anti-Phishing Working Group (APWG).

"Threat volume increased in Q1 2026 on every social media platform, predominantly in two formats: Scams (27.1 percent of all threats) and Impersonation (43.8 percent of all threats)," the report says.

The APWG adds, "Impersonation became more prevalent than in the previous quarter. Impersonation is frequently the opening move in a scam campaign, with threat actors establishing a fake identity before advancing to financial fraud. Seen through that lens, the two categories remain deeply intertwined, and their combined 70.9 percent share still represents the core of the threat landscape."

Attackers are also using more advanced evasion techniques to hide their websites from security scanners, giving their schemes a longer lifespan.

"Fraudsters appear to be using more intricate and elaborate methods to hide their scam and phishing sites," the APWG says. "Phishers are still employing well-known techniques such as geo/IP blocking and user-agent blocking. But an increasing number of sites only show fraudulent content when the referrer is a certain site or kind of site.

"For example, the fraud site is only displayed if the user came from the Bing search engine and had searched for "[bank name] bank login", or visited from a certain social media site (i.e. a user clicked on a comment in a TikTok video).

"Otherwise, the visitors will see innocuous-looking content, or may be redirected to another site."

KnowBe4 empowers your workforce to make smarter security decisions every day.

The APWG has the story:
https://www.accessnewswire.com/newsroom/en/computers-technology-and-internet/apwg-q1-2026-report-phishing-and-scams-rising-on-all-social-media-1170893

Americans Lost $900 Million to AI-Powered Scams Last Year

The U.S. Federal Bureau of Investigation (FBI) warns that Americans lost just under $900 million to AI-powered scams in 2025, Malwarebytes reports. Total reported losses to scams last year reached nearly $21 billion, a 26% increase from 2024.

The researchers note that the true losses are likely much higher, since many attacks go unreported. "The main drivers behind the rise in AI-powered scams are voice cloning, deepfake images and videos and AI‑generated scripts," Malwarebytes says. "These tools have supercharged classic fraud schemes such as romance scams, kidnapping and extortion calls, fake influencers and government impersonation."

The FBI notes that AI tools have drastically lowered the bar for attackers to craft highly realistic fraudulent content. "AI technology enables the creation of convincing synthetic content, such as social media profiles and personalized conversations, often in mass quantities," the Bureau says.

"People have manipulated video and audio similarly for decades, but the widespread availability of this developing technology makes it possible to create high-quality content. AI-enabled synthetic content is becoming increasingly difficult to detect and easier to make, which allows criminal actors to potentially conduct successful fraud schemes against individuals, businesses and financial institutions."

Malwarebytes concludes that these attacks will increase as AI tools improve and become more accessible. "The FBI and financial institutions recommend verifying identities via official contact channels," Malwarebytes says.

"One of their biggest concerns is government impersonation scams, which have evolved from crude IRS gift‑card phone calls into sophisticated, multi‑channel operations that combine spoofed caller ID, stolen agency logos and AI-generated audio and video of public officials.

"This report, and others like it, shows how AI is being weaponized to automate research on victims, generate convincing scripts and create highly believable deepfake personas at scale. AI is also increasingly used in business email compromise (BEC), romance scams and impersonation fraud.

"In BEC cases involving AI, losses have already reached tens of millions of dollars for businesses alone."

Over 70,000 organizations worldwide trust the KnowBe4 Platform to strengthen their security culture and reduce risk.

Malwarebytes has the story:
https://www.malwarebytes.com/blog/scams/2026/06/americans-lost-nearly-900-million-to-ai-powered-scams-fbi-says

What KnowBe4 Customers Say

"Thank you so much for the fantastic call today. You answered many questions that I had that I hadn't even verbalized on the call. It has been a good experience working with KnowBe4 for about nine years now and you two have continued that great working relationship. I greatly appreciate you!"

- T.M., Executive Director - Information Technology Services

1. OpenClaw AI agent found falling for phishing attacks, spills user data:
   https://www.bleepingcomputer.com/news/security/openclaw-ai-agent-found-falling-for-phishing-attacks-spills-user-data/
   
   
2. Attackers continue to exploit World Cup hype:
   https://cyble.com/blog/fifa-world-cup-2026-scams/
   
   
3. AI brands as bait: How threat actors are using the AI hype in social engineering:
   https://www.microsoft.com/en-us/security/blog/2026/06/08/ai-brands-as-bait-how-threat-actors-are-using-the-ai-hype-in-social-engineering/
   
   
4. WhatsApp says it disrupted new NSO spyware phishing attacks:
   https://www.bleepingcomputer.com/news/security/whatsapp-says-it-disrupted-new-nso-spyware-phishing-attacks/
   
   
5. When “Hi, This Is IT” Comes Through Microsoft Teams:
   https://unit42.paloaltonetworks.com/microsoft-teams-phishing/
   
   
6. North Koreans behind nearly half of U.S. tech industry hacks, says CrowdStrike:
   https://techcrunch.com/2026/06/10/north-koreans-behind-nearly-half-of-us-tech-industry-hacks-says-crowdstrike/
   
   
7. Social media overtakes email as the primary vector for scams:
   https://www.bitdefender.com/en-us/blog/hotforsecurity/global-scam-report-2026
   
   
8. Authorities dismantle 'AudiA6' ransomware crypto-laundering service:
   https://www.bleepingcomputer.com/news/legal/authorities-dismantle-audia6-ransomware-crypto-laundering-service/
   
   
9. Google sues China-based cybercrime network over AI phishing tools:
   https://www.helpnetsecurity.com/2026/06/12/google-china-based-cybercrime-network-lawsuit/
   
   
10. Cybersecurity software misses one in five phishing links:
    https://www.infosecurity-magazine.com/news/cybersecurity-fails-to-detect/
    
    

• Virtual Vaca #1 - The Surreal World of Cappadocia, Turkey, Everything You Need to See:
  https://youtu.be/lGx3cFu0oQk?si=j5eJ0CExNk8xANy8
  
  
• Virtual Vaca #2 - Montevideo, Uruguay in 4K ULTRA HD HDR Drone Video:
  https://youtu.be/-W5J0B_acT0
  
  
• Need some space? Unreal Places That Don’t Look Real in 8K ULTRA HD HDR:
  https://youtu.be/7qZ3oFi4llk
  
  
• People Are Awesome - Extreme Talents & Skills Best of the Week:
  https://www.flixxy.com/when-humans-defy-the-impossible-extreme-talents-caught-on-camera.htm?utm_source=chn&utm_medium=email
  
  
• Low Wingsuit Flyby Over a Historic WWI Fortress:
  https://youtu.be/nGFG4TFJPl0
  
  
• [MythBusters Classic] Will a Speeding Train Suck You Off the Platform?:
  https://youtu.be/ynM_J9FR7Zc
  
  
• Best Guinness World Records From This Week - 28 May 2026:
  https://youtu.be/ulIYQfv2vIE
  
  
• One of History’s Greatest Buildings is in Danger:
  https://youtu.be/6_v4hBVjqvo
  
  
• Inside Waymo’s New built-from-the-ground-up Robotaxi — The Ojai:
  https://youtu.be/RQaW3iMue3M
  
  
• Beyond Realism: Nature in Dolby Vision – OLED HDR Masterpiece (4K/8K TV):
  https://youtu.be/GcFqGjKzexk
  
  
• For Da Kids #1 - Wild Crow Knocks On Window To Play With His Baby Friend Every Day:
  https://youtu.be/qYK96OIRaiE
  
  
• For Da Kids #2 - Desperate Mother Horse Leads Farmer to Her Crying Foal!:
  https://youtu.be/GezZ8QtxFZQ
  
  
• For Da Kids #3 - Three of the Cutest — But Deadliest — Animals on Earth:
  https://youtu.be/JRbQVb4bKPE
  
  
• For Da Kids #4 - Two Prairie Dogs Yell Good Morning Daily:
  https://youtu.be/ZOmdmHymCoE
  
  
• For Da Kids #5 - Golden Retriever’s Reaction to an Annoying Kitten Is Priceless!:
  https://youtu.be/Pu1vy-CSnRY