The FBI has warned of a new Phishing-as-a-Service (PhaaS) kit that is targeting Microsoft 365 accounts in a complex but easily accessible campaign.
The Kali365 PhaaS service allows hackers to gain persistent access to Microsoft 365 environments by stealing ‘OAuth’ tokens using AI-generated phishing emails that direct users to legitimate Microsoft verification pages.
Once the attacker holds the OAuth token, they can access Outlook, Teams, and OneDrive services without having to complete any additional verification or authentication mechanisms.
Phishing campaigns such as these rely on human-error in order to breach accounts, but luckily there are multiple steps to take to keep accounts and wider Microsoft 365 environments safe. Here are 3 ways businesses can protect themselves against the Kali365 PhaaS campaign:
1. Phishing Vigilance
Phishing emails come in a range of formats. They can be interview invites, document access requests, and everything in between. Hackers are using AI tools to make highly convincing phishing emails that can slip past spam detection filters and blend in with regular email traffic.
IT administrators should pay attention to the latest guidance provided from intelligence feeds on phishing email trends and ongoing campaigns. Additionally, staff can be trained to spot and report phishing emails through regular simulations that mimic the real world Tactics, Techniques and Procedures (TTPs) being used by hackers.
Users should also remain vigilant against unexpected Microsoft account authentication requests, especially when the user has not made an attempt to log in.
2. Conditional Access Policies
The FBI recommends enabling conditional access policies that block device code flow for all users. Blocking device code flow prevents the main Kali365 OAuth code interception from working.
In the Kali365 attack workflow, the hacker will submit a pre-generated device code from their device alongside a legitimate Microsoft verification page. The code submitted by the attacker is then typed into the authentication page by the victim, authorizing the attacker’s login to the victim’s account. The attacker then steals OAuth access and refresh tokens to access Outlook, Teams, and OneDrive without the need for a password or authentication.
By blocking this authentication method, even if a victim falls for the phishing email and enters the code, the attacker’s login will fail.
But before applying a universal device code flow block, make sure to audit existing usage to identify where device code flow authentication is being used legitimately. Blocking legitimate usage could disrupt day-to-day operations in some circumstances.
3. Block Authentication Transfer Policies
In order to make life easier for 365 users, Microsoft included an option to allow a user to use a trusted device to scan a QR code displayed on a separate device to authenticate a login.
However, this convenient feature makes it easier for attackers to authenticate their own authentication on a victim’s account once they have stolen OAuth tokens. Once provided access to a victim’s account, the attacker can use their newly ‘trusted’ device to authenticate their own account access requests.
By blocking authentication transfer policies, not only does it stop attackers from authenticating their own sessions, it can also help to prevent employees from logging in to unmanaged personal devices that can put company data at risk.
Expert Guidance
Deborah Galea, Cybersecuity Expert at Filigran, commented on the Kali365 attacks:
“Phishing-as-a-Service (PhaaS) platforms like Kali365 are becoming more and more common, which is turning hacking into a highly commercialised subscription business. This means that bad actors can now utilise these ready-made kits rather than building infrastructure from scratch, significantly lowering the barrier to entry.”
Kali365 is especially dangerous since it bypasses Multi-Factor Authentication (MFA) without stealing credentials and allows hackers to hijack Microsoft 365 accounts.
“Kali365 is especially dangerous since it bypasses Multi-Factor Authentication (MFA) without stealing credentials and allows hackers to hijack Microsoft 365 accounts. We advise companies to implement preventative measures such as restricting device code flow, blocking authentication transfer, and implementing Phishing-Resistant MFA.”
Andrea Sivieri, Chief Product and Technology Officer at CoreView, also commented:
“The FBI warning on Kali365 confirms a pattern we have been seeing in enterprise Microsoft 365 environments for months. Attackers are no longer breaking into Microsoft 365, they are logging in, using features Microsoft built for legitimate purposes. Device code flow exists for a good reason, it is how smart TVs and IoT devices sign you into your account. The attackers have simply realised it makes a beautiful phishing primitive, because the user is the one who clicks ‘approve’ on a real Microsoft page. MFA cannot save you from a flow where the user does the MFA themselves.”
The depressing part is that the FBI’s top recommendation, blocking device code flow through conditional access policy, is something any Microsoft 365 administrator could turn on this afternoon.
“The depressing part is that the FBI’s top recommendation, blocking device code flow through conditional access policy, is something any Microsoft 365 administrator could turn on this afternoon. The reason most organisations haven’t done this is because conditional access in a real-world tenant, is a sprawl of policies edited by twenty different people over five years. Nobody is quite sure what blocking one flow will break. So the policy stays open, and the attackers stay in business.”
“There is a bigger lesson here for any organisation running its business on Microsoft 365. The next breach at a large enterprise will not start with a hacker exploiting a vulnerability. It will start with an employee being asked, very politely, to perform a legitimate action inside a legitimate Microsoft product. The defence is not better technology, it is real-time visibility into what is actually changing inside the tenant, and the discipline to revisit the security policies that quietly age out.”
