The FBI is warning about an emerging phishing-as-a-service platform called Kali365, which targets Microsoft 365 accounts, including Outlook, Teams, and OneDrive. This scam can get into your account without stealing your password, even with multifactor authentication turned on.

How the Scam Works

Kali365 is a phishing-as-a-service platform that gives attackers access to AI-generated phishing messages, automated campaign templates, tracking dashboards, and tools that capture OAuth tokens. The scam abuses Microsoft’s device code login process, which can let an app stay connected to your Microsoft account without asking for your password every time.

The attack starts when a criminal starts the sign-in from their own device and tricks you into approving it. You may see a phishing email that looks like it came from a trusted cloud service or document-sharing tool, including a code and telling you to visit a real Microsoft verification page.

Once the code gets entered, you may unknowingly authorize the attacker’s device. From there, the attacker can capture access and refresh tokens, which can open the door to Outlook, Teams, and OneDrive without your password or another MFA prompt.

Protecting Your Microsoft Account

To protect your Microsoft account, be suspicious of unexpected requests to enter a Microsoft device code. Watch for urgency, as scammers love messages that push you to act fast. Only enter a Microsoft device code when you personally started the sign-in. Do not use links inside surprise messages, and review recent sign-ins, connected devices, and active sessions.

If you think you entered a code by mistake, sign out of all sessions and revoke suspicious app access. Then, change your password and contact your IT team. Using strong antivirus software can also help detect phishing pages, malicious links, and suspicious downloads before they cause damage.

Original reporting: Fox News (HLL/CB) — read the source article.