FBI: Phishing-as-a-Service Kit Hijacks Microsoft 365

Device‑code phishing is a clever repurposing of a legitimate Microsoft feature designed for low‑input devices such as TVs and printers. By initiating a device‑code login on their own server, attackers receive a genuine code that they embed in a phishing lure. When a victim enters the code on Microsoft’s login page, the system treats the session as a legitimate device, completes the MFA challenge, and issues an access token. The token grants unrestricted access to Outlook, Teams, and OneDrive, effectively sidestepping passwords and traditional MFA safeguards. This technique, once confined to nation‑state actors, has been commoditized as the Kali365 kit, lowering the technical barrier for cybercriminals.

For banks, the ramifications are acute. Over 90% of U.S. financial institutions rely on Microsoft 365 for email and collaboration, making the platform a high‑value target. Once an attacker controls a staff mailbox, they can silently create inbox rules, register trusted devices, and launch business‑email compromise schemes that reroute payments. The FBI’s warning underscores that MFA, while essential, is insufficient when token‑theft methods are employed. The financial sector’s exposure is magnified by the high‑value nature of wire transfers and the regulatory penalties associated with data breaches.

Defensive strategies must evolve beyond password‑based controls. The Cybersecurity and Infrastructure Security Agency (CISA) advises deploying phishing‑resistant authentication such as FIDO‑based passkeys or hardware security keys, which bind the credential to the legitimate website and render stolen tokens useless. Additionally, conditional‑access policies that block the device‑code flow for non‑essential accounts can eliminate the attack vector without disrupting critical operations. As regulators like the FFIEC push for layered security and continuous monitoring, banks that adopt these measures will better protect their customers and mitigate the financial fallout of sophisticated token‑theft attacks.