Featured Image Credit: Bloomberg / Contributor via Getty
The Federal Bureau of Investigations (FBI) has issued a new public service announcement amid the rise of a 'phishing-as-a-service' (PhaaS) scam known as Kali365, as this allows malicious actors to bypass authentication protocols for Microsoft services like Teams, Outlook, and OneDrive.
It's incredibly common for cybersecurity experts to advise people to use multi-factor authentication tools like 2FA or authenticator apps, as they provide an additional external layer that hackers often find much harder to get through with brute force.
That layer of protection has been breached, however, through the emerging use of Kali365, which has been distributed through encrypted messaging service Telegram.
This has prompted the FBI to get involved, issuing a new PSA to the hundreds of millions of people using Microsoft services every single day, as you could be putting yourself in great danger if you're not careful.
Detailing the issue in a new alert, the FBI outlines that Kali365 allows cyber threat actors to "capture 'OAuth' tokens and gain persistent access to targeted individuals/entities Microsoft 365 environments."
Advert
While there do exist incredibly sophisticated tools that bypass these pre-existing authentication barricades, Kali365 reportedly significantly lowers the skills required to get through, "providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities," the PSA illustrates.
Attackers will first send a 'lure' to targeted individuals, usually a phishing email impersonating a trusted service. This then leads victims to real Microsoft pages where information is revealed, subsequently opening the door to the attacker.
From there, the attacker can then capture OAuth access and refresh tokens associated with the account, effectively providing unlimited access to any associated Microsoft accounts without the need of a password or any further authentication.
The FBI has recommended that businesses and individuals who find themselves at risk of this new cybersecurity threat should restrict device code flow, which limits or even completely blocks authentication codes that are central to the attack.
Within the advice, the FBI outlines that you should "create a conditional access policy to block device code flow for all users, with limited exceptions for required business processes."
Additionally, authentication transfer policies should also be blocked, and if you are in a situation where device code flow usage simply can't be blocked, excluding emergency access accounts is your best course of action.
On top of this, urging employees and individuals to be wary of any links found within emails – even if they look legitimate – as that can be the trigger that starts the problem in the first place.
Any suspicious activity should also be reported directly to the FBI, whether that be in the form of emails, login attempts, or devices.
