Hackers are using real Microsoft login pages to steal accounts, the FBI warns

Key Points:

• The FBI warns of a new Kali365 phishing-as-a-service scam that bypasses Microsoft 365 multi-factor authentication (MFA) by tricking users into approving legitimate Microsoft logins via device codes meant for hardware with limited input.
• Hackers persuade victims to enter short device codes on real Microsoft websites, enabling attackers to obtain access tokens and hijack accounts without completing MFA themselves, gaining access to emails, files, and third-party apps.
• The scam also uses browser cookies to redirect users through attacker-controlled infrastructure while forwarding requests to genuine Microsoft login pages, making detection difficult.
• Kali365 is notable for its ease of use, allowing even less-technical hackers to launch sophisticated phishing campaigns using AI-generated lures and victim tracking, with distribution mainly through secure Telegram chats.
• To protect accounts, individuals should be cautious of phishing email subject lines tied to common templates involving shared documents, voicemails, and invoices, while businesses should consider blocking unnecessary device codes and restricting authentication transfers between devices.