By REBECCA RUTHERFORD
Los Alamos
For the Los Alamos Daily Post

If you use Outlook, Microsoft Teams, or Microsoft 365 – and a lot of us do – the FBI issued a warning and wants you to know about a new attack. It showed up in April of this year, and it is worth understanding because it isn’t like the phishing attacks you have learned to spot.

The lure usually comes in as a phishing email, frequently impersonating a trusted source like a document sharing service. No fake websites. No misspelled company names. No sketchy links. The Microsoft login page you land on is completely real, but the code you enter will hand over your account to the bad guys.

Here is the part that makes this one different from most threats we cover. Kali365 is not just a scam. It is a phishing-as-a-service platform, meaning attackers can subscribe to it like a software tool and get access to AI-generated phishing emails, automated campaign templates, real-time tracking dashboards, and token capture capabilities – all without needing to be  particularly technical. It is a criminal franchise model. Anyone with a Telegram account and a credit card can run this attack against you or your organization.

Here is how it works, step by step.

First, you get an email impersonating a trusted service – SharePoint, OneDrive, Microsoft Teams, something familiar. The email contains a device code and instructions to visit a legitimate Microsoft verification page and enter it. This is a real Microsoft feature designed for devices like smart TVs that do not have easy keyboards. You have probably never thought about it before, and attackers are counting on that.

Second, you go to the real Microsoft page – the URL is legitimate, everything looks normal – and you paste in the code. You have just unknowingly authorized the attacker's device to access your account.

Third, the attacker captures what are called OAuth tokens – essentially proof that your account said yes to their device. From that point forward, they have access to your Outlook, Teams, and OneDrive without needing your password and without triggering any additional MFA checks. Yikes!

This works even if you have multi-factor authentication turned on. The FBI is not saying MFA is broken. What they are saying is that you were tricked into doing the approving yourself, through a real Microsoft process. Your MFA fired correctly. It just fired for the wrong person, and let attackers into your account

This is not an issue with MFA, it still protects you against a lot of other attacks. Just know it is not a magic shield, and can be leveraged against you in a phishing attack like this.

The single most important thing to take from the FBI's warning: never enter a Microsoft device code unless you personally initiated a login on a device that actually needs one. If an unexpected email or Teams message handed you a code and told you the Microsoft website to enter it, that is the attack. Stop there.

Ways to stay safe:

• Never enter a device code you did not ask for. If a message hands you a code and tells you where to enter it, that is the attack. Stop there.
• Treat urgent login requests with suspicion. Even if the message looks like it came from a coworker or a familiar service, verify it independently before you do anything.
• Check your active sessions. Microsoft lets you see every device signed into your account and every app connected to it. A quick review every so often can catch something before it gets worse.
• Turn on security alerts. Microsoft can notify you when a new device signs in or something unusual happens. If you do not have that enabled, turn it on today.
• Use a password manager and unique passwords. This attack does not steal your password directly, but attackers layer tactics. A strong, unique password is still worth having.

If you think you may have already fallen for this, move fast. Change your Microsoft password, sign out of all active sessions to cut off any tokens the attacker is holding, and check your account for unfamiliar connected apps or devices. Unexpected MFA prompts you did not initiate, emails you did not send, inbox rules you did not create – any of those is a red flag. You can report the incident to the FBI at ic3.gov and include any phishing emails, suspicious login times, and unauthorized devices if you have them.

Stay skeptical out there.

Editor’s note: Rebecca Rutherford works in information technology at Los Alamos National Laboratory.