The FBI has issued a warning regarding a new phishing attack that can circumvent multi-factor authentication (MFA) for Microsoft 365 accounts. This scheme, involving the Kali365 phishing-as-a-service platform, enables hackers to hijack accounts without completing the MFA process, using social engineering tactics to trick users into approving logins.
In a public service announcement, the FBI detailed how intruders exploit a system Microsoft designed for devices with limited input, like smart TVs. By initiating the authentication process and convincing users to enter a device code, attackers gain access tokens from Microsoft, allowing them to access personal data, including OneDrive files and Outlook emails.
Researchers from Arctic Wolf highlighted that the simplicity of creating AI-generated phishing templates makes this method accessible to even less-skilled hackers. The campaign primarily circulates through secure channels, such as Telegram, with eight fixed email templates being utilized to deceive users.
To safeguard Microsoft 365 accounts, individuals are advised to remain vigilant and disregard suspicious email subject lines related to shared documents, voicemails, and messages.