惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Google DeepMind News
Google DeepMind News
B
Blog RSS Feed
Apple Machine Learning Research
Apple Machine Learning Research
D
Darknet – Hacking Tools, Hacker News & Cyber Security
V2EX - 技术
V2EX - 技术
Security Archives - TechRepublic
Security Archives - TechRepublic
Cisco Talos Blog
Cisco Talos Blog
T
Tor Project blog
博客园 - 司徒正美
T
The Blog of Author Tim Ferriss
J
Java Code Geeks
宝玉的分享
宝玉的分享
小众软件
小众软件
博客园_首页
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Project Zero
Project Zero
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Spread Privacy
Spread Privacy
I
InfoQ
博客园 - 叶小钗
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
罗磊的独立博客
M
MIT News - Artificial intelligence
爱范儿
爱范儿
The Cloudflare Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
T
Tenable Blog
S
Securelist
N
News and Events Feed by Topic
Simon Willison's Weblog
Simon Willison's Weblog
Webroot Blog
Webroot Blog
The Hacker News
The Hacker News
O
OpenAI News
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
P
Palo Alto Networks Blog
C
CERT Recently Published Vulnerability Notes
PCI Perspectives
PCI Perspectives
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
T
Threat Research - Cisco Blogs
L
LINUX DO - 热门话题
I
Intezer
Scott Helme
Scott Helme
Recent Commits to openclaw:main
Recent Commits to openclaw:main
C
Cybersecurity and Infrastructure Security Agency CISA
Google Online Security Blog
Google Online Security Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
S
Security Affairs
AI
AI
AWS News Blog
AWS News Blog
Security Latest
Security Latest

GRAHAM CLULEY

Google's Gemini lets strangers send messages from your locked Android phone Anubis ransomware: what you need to know Smashing Security podcast #476: Remote-control rickshaws and rogue book marketers The ransomware negotiator who was working for the other side Invited to a "job interview" with Netflix or OpenAI? Beware! Your Google password could be at risk Smashing Security podcast #475: JadePuffer - the AI that ran a ransomware attack all by itself Two arrested over credit card phishing - as the Netherlands is named Europe's worst for payment fraud The Gentlemen ransomware: what you need to know Smashing Security podcast #474: Polymarket can predict the future. So how did it miss this hack? Scammers race to cash in on Venezuelan earthquake disaster USB drives carrying China-linked malware infected Japanese military networks for nearly a year Smashing Security podcast #473: How a hacker could have Rickrolled the entire World Cup Hacker hijacks Brazil's national alert system, sending "misanthropy" to millions of phones Apple's Hide My Email tweak leaves privacy fans fuming Imposter scams cost Americans $3.5 billion in 2025 – and it’s getting worse Smashing Security podcast #472: AI gets hacked, and BitLocker gets bypassed Maine forced to take down data breach portal after fake notices filed with authorities Privacy own-goal: World Cup blunder leaks Lionel Messi's passport details Silent Ransom Group: what you need to know Smashing Security podcast #471: This AI worm just rewrote its own rules Why schools remain one of cybercriminals' favourite targets Got a LinkedIn message from a recruiter? It might be Chinese intelligence, warn FBI and MI5 Meta’s own AI chatbot to blame for Instagram accounts being stolen in seconds Smashing Security podcast #470: This AI security flaw might be impossible to fix Police arrest man following hack of Ajax football club MyPillow listed on ransomware gang's leak site, but denies it has been breached Smashing Security podcast #469: What your Oura ring won’t tell you Defenders fall behind, as AI rewrites the rules of a data breach Smashing Security podcast #468: High-speed train hacks and homicidal lawnmowers FBI warns students and staff that ShinyHunters may come knocking after Canvas breach Suspected Dream Market kingpin arrested after gold bars sent to his home address When ransomware gets physical: cybercriminals turn to threats of violence Smashing Security podcast #467: How ShinyHunters hacked the world’s biggest universities One in eight UK workers has sold their company passwords, and bosses think it’s fine Inside Department 4: Russia's secret school for hackers Sri Lanka makes 37 arrests as it raids another scam centre Smashing Security podcast #466: Meta sees everything, Copy Fail, and a deepfake gets hired Teenager alleged to be Scattered Spider hacker arrested in Finland, faces US extradition Iran-linked Handala hackers leak US Marines data, send chilling WhatsApp threats Smashing Security podcast #465: This developer wanted to cheat at Roblox. It cost millions Alleged Silk Typhoon hacker extradited to the United States to face charges French police arrest 21-year-old "HexDex" hacker over 100 alleged data breaches Smashing Security podcast #464: Rockstar got hacked. The data was junk. The secrets it revealed were not Singer loses life savings to fake wallet downloaded from the Apple App Store Sometimes changing the password on your email mailbox isn’t enough 108 malicious Chrome extensions caught stealing Google and Telegram data from 20,000 users AI and cryptocurrency scams are costing Americans billions, FBI reports Life imprisonment for Cambodian scam compound operators - but will it make a difference? Nigerian romance scammer jailed after being caught out by fellow fraudster Alleged RedLine malware developer extradited to United States Iranian hackers breach FBI director's personal email, and post his CV and photos online World Leaks data extortion: What you need to know How one man used 10,000 bots to steal $8,000,000 from music artists Denver's crosswalks hacked to broadcast anti-Trump messages LeakNet ransomware: what you need to know Free parking in Russia after Distributed Denial-of-Service attack knocks city's parking system offline Fraudsters are using public planning records to target permit applicants Your Signal account is safe - unless you fall for this trick Twitter suspended 800 million accounts last year — so why does manipulation remain so rampant? How hackers bypassed MFA with a $120 phishing kit - until a global takedown shut it down They seized $4.8m in crypto... then gave the master key to the internet
FBI warns of Kali365 phishing kit that breaks into Microsoft 365 accounts — no password required
Graham CLULEY · 2026-05-27 · via GRAHAM CLULEY

So, you've enabled multi-factor authentication. You've taught your staff never to type their passwords into dodgy-looking login pages. Surely your Microsoft 365 accounts are safe now?

Well, think again.

The FBI has issued an advisory warning about a phishing-as-a-service platform that has recently emerged, which can hijack Microsoft 365 accounts without ever stealing a password. And it has no difficulty waltzing past MFA while it's at it.

Kali365 is a subscription service for scammers that was first spotted in April 2026, and has been promoted largely through Telegram.

It is a turnkey toolkit that allows even non-technical fraudsters to run sophisticated phishing campaigns, reportedly for as little as US $250 per month or $2,000 a year.

Subscribers to Kali365 have access to AI-generated phishing lures, automated campaign templates, real-time dashboards for tracking targets, and the ability to capture OAuth tokens. In other words, it's everything even a complete newbie would need to launch a phishing attack.

And the threat is not hypothetical. Security researchers documented hundreds of Kali365 attacks in April alone, hitting organisations cross North America and Europe.

The common factor in the attacks? The victim had deployed MFA.

What makes Kali365 so successful I suspect is that it does not need to fool victims with a fake login page. Instead, it abuses a legitimate Microsoft feature.

If you have ever signed into a streaming service like Amazon Prime or Netflix on a smart TV you have probably been promoted to type a short code into a website on your phone.

If you've done that, you've used "device code flow." That's the technology which allows a gadget to borrow an authenticated session from another device.

The Kali365 attack works the same way. You receive a phishing email which is disguised as a message from a trusted cloud service, asking you to visit a Microsoft verification page and enter a code.

You go to the genuine Microsoft page and type in the code. You may think you have acted entirely safely.

After all, it was a genuine Microsoft domain, your password manager recognised it correctly, the site's SSL certificate is valid, and there are no typos in the URL.

However, what you have actually done is authorise an attacker's device to access your account.

Microsoft hands the criminal an OAuth token - proof you are logged in - granting them unfettered access to your Microsoft Outlook, Teams, and OneDrive with no password and no further prompts to enter an MFA code.

In short, there is no fake website to spot, and no misspelt domain name. The single stolen token can unlock other cloud apps, potentially turning one careless click into a wide-ranging security incident.

The thing to remember here is that MFA stops attackers from logging in as you. It does nothing to prevent you from granting access to an attacker through a workflow that Microsoft considers entirely legitimate.

The criminals are never asked to answer an MFA challenge, because as far as Microsoft is concerned the victim already has.

And this is why the FBI's top recommendation is to block device code flow, with a conditional access policy in Microsoft Entra ID where appropriate. You will probably want to exclude emergency access accounts so you don't accidentally lock yourself out entirely.

And it is always a good idea to roll-out phishing-resistant MFA, such as hardware security keys, which tie authentication to a physical device and are much harder to circumnavigate.

The FBI's Internet Crime Complaint Center is encouraging victims to report incidents to it via its website at ic3.gov.