FBI warns of Kali365 phishing service targeting Microsoft 365 accounts

The Kali365 phishing-as-a-service platform targets Microsoft 365 accounts by abusing OAuth device code authentication to steal session tokens and bypass multi-factor authentication. This threat affects Microsoft 365 users, exploiting a vulnerability in OAuth device code authentication. The attack vector is a phishing service.

1. Kali365 is a phishing-as-a-service platform used to hijack Microsoft 365 accounts.
2. The attack bypasses multi-factor authentication (MFA) by abusing OAuth device code authentication.
3. The attack chain involves phishing to obtain user credentials, which are then used to obtain session tokens.
4. Detection opportunities include monitoring for suspicious OAuth device code authentication requests and analyzing session token activity.

T1566.001 Spearphishing Attachment
T1539 Phishing for Device Information

Kali365 phishing service, OAuth device code authentication, Microsoft 365 accounts

Implement additional security measures such as conditional access policies and monitoring for suspicious OAuth device code authentication requests to detect and prevent Kali365 phishing attacks.