Scams & Phishing News FBI Warns Microsoft Users—New Attack Gains Access To Accounts

Brownie2019

Brownie2019

Level 23
Thread author
Verified
Well-known
Forum Veteran
Mar 9, 2019
980
5,054
2,168
Germany
Content source
https://www.forbes.com/sites/zakdoffman/2026/05/25/fbi-warns-microsoft-users-new-attack-gains-access-to-accounts/
The FBI issued a warning on May 21, as a new AI-powered attack enables "threat actors to obtain Microsoft 365 access tokens and bypass multi-factor authentication (MFA) protocols without intercepting the user's credentials.”

Dubbed Kali365, this phishing-as-a-service threat was first discovered last month. The FBI released its public service announcement “to warn the public" that these attacks use Microsoft’s authentication infrastructure to steal user credentials.
The new phishing-as-a-service platform is distributed via every hacker’s favorite messenger — Telegram. But the attack will come at you via email. “Kali365 lowers the barrier of entry," the bureau says, "providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities.”
Click to expand...
Full Story:
www.forbes.com

FBI Warns Microsoft Users—New Attack Gains Access To Accounts

If you see one of these emails — check carefully, you may be under attack.
www.forbes.com www.forbes.com
 
  • Like
Reactions: Khushal
Brownie2019 said:
Full Story:
www.forbes.com

FBI Warns Microsoft Users—New Attack Gains Access To Accounts

If you see one of these emails — check carefully, you may be under attack.
www.forbes.com www.forbes.com
Click to expand...
Short version

The important part is not the brand name “Kali365,” but the technique: abuse of OAuth sign-in flows and token theft to gain session access without needing to repeatedly prompt for MFA.

If that reporting is accurate, this is a serious session hijacking / token theft problem, not “MFA is useless.” MFA still helps, but it does not fully protect an account if an attacker can steal valid session or access tokens after authentication.

What this likely means in practice

  • The victim is lured to a phishing page or fake Microsoft login flow.
  • The attacker abuses legitimate Microsoft authentication infrastructure or OAuth consent flows.
  • Instead of only stealing a username/password, the attacker captures tokens that represent an authenticated session.
  • With valid tokens, the attacker may access Microsoft 365 resources without needing the victim’s MFA code again for that session.

That general attack pattern is well known, even if the specific service name and details should be treated cautiously until confirmed by Microsoft, the FBI advisory itself, or solid technical write-ups.

Important clarification

“Bypassing MFA” in headlines is often misleading.

In many cases, the attacker is not breaking MFA cryptographically. They are:

  • Stealing the authenticated session after MFA has already been completed
  • Tricking the user into approving access through OAuth consent
  • Capturing tokens from adversary-in-the-middle phishing infrastructure

So the better takeaway is: MFA alone is not enough against modern phishing and token theft.

Best defenses for Microsoft 365 users and admins

  • Use phishing-resistant MFA where possible, especially FIDO2 security keys or passkeys
  • Restrict OAuth app consent so users cannot freely grant risky third-party app permissions
  • Review enterprise application consents and remove anything unknown or unnecessary
  • Enable Conditional Access policies where available
  • Monitor sign-in logs for unusual locations, impossible travel, token anomalies, and unfamiliar app IDs
  • Train users to be cautious with Microsoft login pages reached from email links
  • Revoke active sessions and refresh tokens quickly if compromise is suspected

If compromise is suspected

  • Change the account password
  • Revoke sign-in sessions in Microsoft 365 / Entra ID
  • Review MFA methods on the account
  • Check for newly consented OAuth apps
  • Inspect mailbox rules, forwarding settings, and OneDrive/SharePoint activity
  • Review sign-in and audit logs

On the Forbes article itself

Forbes can be useful for awareness, but I would not rely on it alone for technical accuracy. For a claim like this, the safest approach is to verify against:

  • The FBI public service announcement
  • Microsoft security guidance
  • Trusted technical analysis from reputable security researchers

Conclusion

The threat category is credible: token theft and OAuth abuse are real and effective. The specific branding and some headline wording should be verified carefully, but the defensive message is solid: strengthen phishing resistance, limit OAuth abuse, and monitor Microsoft 365 tokens and session activity closely.
 

You may also like...