The US Federal Bureau of Investigation (FBI) has warned that a new phishing-as-a-service (PhaaS) platform called “Kali365” is targeting OAuth tokens to gain direct access to users’ Microsoft 365 accounts without stealing credentials or multifactor authentication codes.
“Through the Kali365 platform subscription, cyber threat actors can capture ‘OAuth’ tokens and gain persistent access to targeted individuals/entities' Microsoft 365 environments,” the Bureau says. “Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities.”
According to the FBI, the attack proceeds as follows:
- “Lure: An attacker sends a phishing email impersonating trusted cloud productivity and document-sharing services. This phishing email contains a device code with instructions to visit a legitimate Microsoft verification page and enter the code.
- “Authorization: The targeted individuals/entities navigate to the real Microsoft page and pastes in the device code, unknowingly authorizing the attacker's device to access their account.
- “Token Theft: The attacker captures OAuth access and refresh tokens, granting them access to the targeted individuals/entities' Microsoft 365 account.
- “Persistence: The attacker can now access Microsoft 365 services such as Outlook, Teams, and OneDrive without needing a password or completing any additional MFA challenges.”
The Bureau recommends that organizations lock down their device code flows to limit or block device authentication codes unless absolutely necessary. Employee awareness training can also help users recognize phishing attempts, so they can thwart these attacks from the start.
The FBI has the story: Kali365 Phishing-as-a-Service Kit Hijacks Microsoft 365 Access Tokens
