FBI warns Kali365 phishing kit is stealing Microsoft OAuth tokens at scale

FBI warns Kali365 phishing kit is stealing Microsoft OAuth tokens at scale

Briefly

"OAuth token theft is a serious headache for organizations because stolen tokens can bypass multi-factor authentication (MFA) and grant access to privileged accounts within an organization without needing to know their credentials. Think corporate espionage, data theft, maybe even ransomware."

"Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities, the FBI said in its announcement."

"Kali365 lets attackers send convincing phishing emails that impersonate "trusted cloud productivity and document-sharing services," - Adobe Acrobat Sign, DocuSign, and SharePoint - according to security shop Arctic Wolf. That email contains a device code and instructions for the target to enter the code into a legitimate Microsoft page, a hyperlink for which is included in the email."

"Entering that code registers the attacker's device to the unwitting target's M365 account, effectively surrendering access to emails, Teams, and all the rest of it. No MFA required. Arctic Wolf published a deep dive on Kali365 back in April, noting that it also offers adversary-in-the-middle (AitM) capabilities that are distinct from the device code phishing described by the FBI."