The FBI said the phishing tool can let cyberattackers bypass multi-factor authentication on Microsoft 365 accounts.
WASHINGTON — The FBI issued a warning about a new phishing tool being used to gain access to users Microsoft 365 accounts.
The Public Safety Announcement, issued May 21, warned that cyberattackers could bypass multi-factor authentication and get user’s credentials, accessing their Outlook, Teams and OneDrive through a phishing message.
The FBI warned phishing platform Kali365 was first spotted in April and it was primarily sent around on Telegram. The program is a “subscription service for scammers,” according to cybersecurity software company Bitdefender.
Hackers try to access this login by sending a phishing email, which Microsoft itself defines as a fraudulent message designed to look authentic, which prompts users to click a link to Microsoft’s real website. A device code is input unknowingly to the user and gives the hackers access and refresh tokens to get into accounts, the FBI warned.
The FBI encourages reporting any unauthorized devices or active sessions added to an account, suspicious logins or phishing emails to the Internet Crime Complaint Center.
Microsoft told The Hill they are “actively working to disrupt the cybercriminal ecosystems behind phishing-as-a-service and account takeover activity to protect our customers.”
How to protect yourself from phishing
The FBI and Microsoft encourage users to be be on the lookout for red flags when going through their email and messages. Red flags include but are not limited to getting: unexpected invoices, urgency in the message, talk of large sums of money, fake security alerts, fake messages from IT, “You’ve won a prize!”
Here are some ways to protect yourself, according to the FBI and Microsoft.
- Verify the sender: Make sure there are no typos in the email address sending messages.
- Do not click unfamiliar links or attachments: Go to the official website to click links. Don’t click them in an email you’re suspicious of.
- Report phishing: Reporting these spam and scam emails and deleting them from your inbox can help you from getting more. Report phishing to the Federal Trade Commission (FTC) or forward the email to phishing-report@us-cert.gov. Some email addresses have a “report phishing button” in the inbox.
- Limit who can use your account and where it is signed in: The FBI suggests restricting device code flow to limit or block device authentication codes, preventing attackers from getting the tokens they need to bypass your password.