FBI warns of Kali Oauth stealers

Source: FBI warns of Kali Oauth stealers | CSO Online

Author: unknown

URL: https://www.csoonline.com/article/4176464/fbi-warns-of-kali-oauth-stealers.html

ONE SENTENCE SUMMARY:

FBI warns Kali365 phishing steals Microsoft 365 OAuth tokens, bypasses MFA via device authorization, urging conditional access blocks and transfer restrictions.

MAIN POINTS:

1. FBI alerted organizations about a new Kali365-enabled phishing wave targeting Microsoft 365 accounts.
2. Kali365 captures OAuth access tokens rather than stealing usernames or passwords.
3. Bypassing multi-factor authentication occurs because valid tokens authenticate without credential interception.
4. Attackers impersonate trusted cloud document-sharing services in convincing phishing emails.
5. Victims are instructed to enter a specific code on a legitimate Microsoft website.
6. Entered code authorizes the attacker’s device to access the victim’s Microsoft account.
7. Mitigation includes conditional access policies blocking device code flow for most users.
8. Exceptions should be narrowly granted only for essential business processes needing code flow.
9. Blocking authentication transfer policies prevents rights handoff from corporate PCs to mobile devices.
10. World Economic Forum data shows phishing is CEOs’ top concern and growing across organizations.

TAKEAWAYS:

1. Token-based phishing can defeat MFA without ever capturing user credentials.
2. Legitimate login pages don’t guarantee safety when attackers abuse device authorization workflows.
3. Conditional access controls are central to reducing exposure to device code phishing.
4. Preventing authentication transfers limits attackers’ ability to persist across devices.
5. Rising phishing volume makes rapid policy hardening and user awareness critical.