FBI warns Microsoft users about passwordless scam

Key Points:

• The FBI has issued a warning about Kali365, a phishing-as-a-service platform targeting Microsoft 365 accounts including Outlook, Teams, and OneDrive, which can bypass multifactor authentication (MFA) by exploiting Microsoft's device code login process.
• Kali365 tricks users into approving a sign-in on a legitimate Microsoft verification page by sending phishing emails with device codes, allowing attackers to capture OAuth tokens and gain access without stealing passwords.
• Small businesses are particularly vulnerable as compromised accounts can be used to impersonate employees, send fake invoices, and access sensitive information, making the scam difficult to detect.
• To protect accounts, users should never enter device codes they did not request, avoid clicking suspicious links, regularly review account activity, keep MFA enabled, and train employees about device code scams.
• The FBI recommends restricting device code flow where possible, auditing legitimate use before blocking, protecting emergency access accounts, and reporting any attacks to the FBI’s Internet Crime Complaint Center.