A new Microsoft 365 scam on Microsoft Teams, Outlook, and OneDrive is spreading quickly, and the FBI is warning the public about it.
The FBI noted that a hacking platform called Kali365 is being used to steal OAuth device codes from its victims, which grants attackers full access to Microsoft accounts without requiring the username or password. Additionally, no multifactor authentication code is intercepted.
How the Scam works
As outlined by the FBI, attackers send a phishing email that mimics a trusted cloud document-sharing or cloud productivity service. A device code is included within the phishing message, and its recipient is prompted to input it at a Microsoft verification website to log in.
Once the user enters the device code on the malicious page, they unintentionally authorize the attacker’s device to access their Microsoft 365 account.
Attackers can then steal both OAuth access and refresh tokens in order to carry out a full Microsoft 365 account takeover for Outlook, Teams, or OneDrive services.
Kali365, the platform being used, is described by the FBI as a nascent Phishing-as-a-Service tool that offers criminals with weak technical skills a variety of features, including AI-driven phishing lures, automated campaign templates, real-time tracking dashboards, and OAuth token capture functionality.
The FBI detected Kali365 in April and reported it’s being sold for $250 monthly. The crime is considered concerning because the technique doesn’t rely on phishing credentials but rather on abusing the device-code authorization method.
The scam bypasses multifactor authentication when the user follows the phishing lure’s instructions, and their access tokens are captured.
What to do if You Are Targeted by this Attack
The FBI cautions individuals not to open emails with unsolicited instructions or links that prompt users to enter access codes. All phishing emails, suspicious logins, new and unexpected devices, and sessions that have been added to accounts should be reported to the Internet Crime Complaint Center.
Users are advised to provide as many details as possible in their report, such as email headers, messages, the IP addresses of logins, login locations, and times.
Microsoft recommends following the FBI’s warnings and mentions in its statements that its Digital Crimes Unit has recently disrupted other phishing tools like RaccoonO365 and other do-it-yourself phishing attacks that were designed to steal users’ passwords and data. Microsoft says it’s continuously working to disrupt account takeover and phishing-as-a-service networks.