From Newsgroup: comp.mobile.android
The security measure millions rely on to protect their accounts may not be
as foolproof as they think.
The Federal Bureau of Investigation is warning the public about a fast- spreading scam targeting users of popular Microsoft 365 products,
including Outlook, Teams, and OneDrive. The scheme allows cybercriminals
to capture Microsoft authentication tokens, bypassing multifactor authentication without needing a user�s password.
At the center of the scheme is a hacking platform called Kali365. Unlike traditional phishing attacks that rely on stealing credentials, Kali365 targets OAuth device codes�digital keys that allow applications to access
data without requiring a password�giving cybercriminals access to
Microsoft 365 accounts and a wide range of sensitive information.
The subscription-based service, which was first spotted in April 2026, has been promoted largely through Telegram and, according to Bitdefender, is available to scammers for as little as $250 per month or $2,000 a year.
What makes the threat particularly alarming is that it can gain access to
a user�s account without a password. �Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity
tracking dashboards, and OAuth token capture capabilities,� the FBI said.
With security researchers reporting hundreds of Kali365 attacks in April alone, the threat is already materializing.
How the scheme unfolds
The attack follows a deceptively simple sequence. A victim receives a
phishing email designed to look like it came from a trusted cloud service.
The email contains a device code and instructs the recipient to visit a legitimate Microsoft verification page to enter it.
The moment the user does this, the user has unknowingly handed the
attacker full access to their account.
Once the code is entered, the attacker captures the OAuth access token, granting them full entry into the victim�s Microsoft 365 account. From
there, they can freely navigate Outlook, Teams, and OneDrive without ever needing a password or completing any additional authentication steps.
What makes the scam particularly convincing is that there is no fake
website to spot and no misspelled domain name, making it difficult for a
user to distinguish the phishing attempt from a legitimate request.
�This phishing scam is getting more sophisticated by the day, with AI- generated lures and automated templates,� one user wrote in response to
the FBI�s warning.
However, the FBI says there are steps users can take to protect
themselves, including not opening any links with access codes that you
didn�t request. Additionally, those who have been affected by the Kali365 phishing kit can file a complaint with the Internet Crime Complaint
Center.
https://www.inc.com/amaya-nichole/fbi-just-issued-urgent-warning-anyone- using-microsoft-over-new-phishing-scheme/91351360
--- Synchronet 3.22a-Linux NewsLink 1.2