FBI Alerts: Kali365 Phishing Service Hijacks Microsoft 365 Accounts via OAuth Token Theft
What Happened – The FBI disclosed a new phishing‑as‑a‑service operation named Kali365 that abuses Microsoft 365’s device‑code flow to capture OAuth access tokens and fully hijack user accounts. The service is sold on underground forums, allowing attackers to automate credential theft at scale.
Why It Matters for TPRM –
- Compromise of Microsoft 365 accounts can expose corporate email, files, and collaboration tools, creating downstream supply‑chain risk.
- Credential‑theft services lower the barrier for threat actors to launch Business Email Compromise (BEC) and data exfiltration campaigns against third‑party vendors.
- The attack bypasses traditional password‑based defenses, highlighting gaps in token‑lifecycle management and MFA enforcement.
Who Is Affected – Enterprises across all sectors that rely on Microsoft 365 for email, SharePoint, Teams, and other SaaS workloads; especially those with limited token‑revocation policies.
Recommended Actions –
- Enforce Conditional Access policies that block device‑code flow for high‑risk users.
- Deploy Azure AD Identity Protection and monitor for anomalous token issuance.
- Require MFA for all privileged accounts and regularly review token lifetimes.
- Conduct a vendor risk review of any third‑party services that integrate with Microsoft 365 APIs.
Technical Notes – Kali365 leverages the OAuth 2.0 device‑code grant to obtain valid access tokens without user interaction. Attackers then use the tokens to access Exchange Online, OneDrive, Teams, and other services. No specific CVE is cited; the vulnerability lies in the misuse of a legitimate authentication flow. Source: TechRepublic Security