FBI warns of Kali Oauth stealers

The FBI has warned of the danger from a new wave of phishing attacks generated by a tool called Kali365.

It enables cyber criminals to obtain Microsoft 365 access tokens and bypass multi-factor authentication (MFA) protocols without intercepting the user’s credentials by capturing Oauth tokens linked to the victim’s Microsoft 365 account.

The scam works in a similar way to most phishing attacks. An attacker sends an email purporting to be from a trusted cloud document sharing service, including instructions to enter a particular code on a legitimate Microsoft site.

The code, however, authorizes the attacker’s device to access the victim’s Microsoft account.

The FBI has issued a set of instructions for IT security managers to help mitigate the Kali365 attack before it affects their users. These include creating a conditional access policy to block code flow for all users, with exceptions for the necessary business processes. Managers should also block authentication transfer policies, preventing users from handing over their access rights from a corporate PC to a mobile device.

FBI warns of Kali Oauth stealers

Other newsrooms on this story

Related reading

FBI warns Kali365 phishing kit is stealing Microsoft OAuth tokens at scale

The New Phishing Click: How OAuth Consent Bypasses MFA

Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing

Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries

Microsoft Phone Link abused to steal SMS OTPs from enterprise PCs

KongTuke hackers now use Microsoft Teams for corporate breaches