The FBI has issued a warning to Microsoft 365 users about a new phishing scam called Kali365, which allows hackers to access accounts without needing passwords. The scam works by sending phishing emails that ask users to enter a device code on a genuine Microsoft verification page, giving attackers control over the account.
Kali365 is a subscription-based cybercrime platform that provides attackers with AI-generated phishing lures, automated campaign templates, and OAuth token capture capabilities. The platform is available for a monthly fee of $250 and is distributed through Telegram.
The FBI has outlined the typical steps of the scam, which include receiving a phishing email, entering the device code on a genuine Microsoft page, and authorizing the attacker's device to access the account. Once the code is entered, the attacker captures OAuth access and refresh tokens, giving them control over the Microsoft 365 account.
The FBI urges users to follow Microsoft's guidance and file a complaint with the Internet Crime Complaint Center if they are targeted. Users are advised not to open links with access codes they did not request and to limit or block device authentication codes to reduce the risk of such attacks.
