{"id":8262,"date":"2026-05-26T02:50:41","date_gmt":"2026-05-26T02:50:41","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8262"},"modified":"2026-05-26T02:50:41","modified_gmt":"2026-05-26T02:50:41","slug":"security-experts-caution-mfa-alone-can-no-longer-stop-threat-actors","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8262","title":{"rendered":"Security experts caution MFA alone can no longer stop threat actors"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Cybersecurity experts are warning enterprise admins about an increasing number of phishing campaigns aimed at stealing Microsoft 365 (M365) access tokens to bypass multifactor authentication login protection.<\/p>\n

Phishing kits aimed at capturing M365 tokens aren\u2019t new; some reports say these kits have been around since 2021. One of the latest is EvilTokens<\/a>, which researchers at Sekoia say<\/a> has been circulating since February. And earlier this month, Microsoft also issued a warning<\/a> about other adversary-in-the middle phishing schemes that steal authentication tokens, and, separately, about campaigns that exploit OAuth protocol functionality<\/a> to manipulate URL redirection to bypass conventional phishing defenses.<\/p>\n

Lowers the barrier to entry<\/h2>\n

But, said the US Federal Bureau of Investigation (FBI) in a warning last week<\/a>, the new Kali365<\/a> phishing-as-a-service platform \u201clowers the barrier of entry, providing less technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual\/entity tracking dashboards, and OAuth token capture capabilities.\u201d<\/p>\n

It\u2019s increasingly being leveraged by threat actors. On April 24, for example, security vendor Arctic Wolf said that it had detected a large-scale device code phishing campaign<\/a> impacting organizations that was run by a threat actor using the Kali365 service. Four days later, researchers at Gurucul issued a similar warning<\/a>, adding the new Kali365 kit \u201cis rapidly becoming a preferred weapon\u201d of threat actors. Both Kali365 and EvilTokens platforms trick employees into entering a code on a legitimate Microsoft login page that allows attackers to steal OAuth tokens.<\/p>\n

But, Gurucul warned CSOs, \u201c[Kali365] signals a shift toward highly professionalized attack models.\u201d The researchers noted, \u201cThis is not just a single hacker working in isolation. Instead, it is a full-scale commercial operation. It is designed to lower the barrier for entry for criminals globally. By providing a ready-made infrastructure for deception, this kit places sophisticated capabilities in the hands of novice attackers.\u201d<\/p>\n

Move beyond MFA as a \u2018checklist item\u2019<\/h2>\n

CSOs should take the warnings as a reminder that phishing detection lessons are an essential part of security awareness training for all employees.<\/p>\n

The FBI caution\u00a0\u201c[also] reminds us that multifactor authentication is no longer the single step that must be present for protection,\u201d said Robert Beggs<\/a>, CEO of Canadian incident response firm Digital Defence.<\/p>\n

\u201cOrganizations have to move beyond having it as a \u2018checklist item\u2019 and instead focus on a defense in depth approach. Organizations have to block or tightly restrict Microsoft\u2019s OAuth device code authentication flow<\/a> using Conditional Access. Additional controls include revoking OAuth tokens proactively, monitoring for unauthorized device registrations, and monitoring to detect new or malicious inbox rules.\u201d<\/p>\n

Professional attack model<\/h2>\n

The Kali365 service provides templates, management dashboards, and integrated tools that lower the skill barrier for implementing large-scale attacks to the threat actor subscribing to it.\u00a0Subscriptions start at $250 for 30 days and go up to $2,000 for 365 days.<\/p>\n

Once signed up, Arctic Wolf said, Kali365 affiliates can rapidly generate branded phishing lures impersonating common enterprise services such as Adobe Acrobat Sign, DocuSign, and SharePoint. The service includes a modular lure\u2011generation system that allows threat actors to produce hundreds of distinct variants by mixing language localization, presentation layout, Microsoft\u2011ecosystem impersonations, and multiple document formats in English, Spanish, French, German, Portuguese, Italian, Dutch, Japanese, Korean, Chinese, Arabic, Turkish, Polish, and Russian.<\/p>\n

Beggs noted that the use of AI generated phishing lures, assuming the AI has been properly trained against the client business and supplied with the correct cultural contexts, results\u00a0in trustworthy-appearing documents that are difficult to identify and block in a large-scale attack.<\/p>\n

Subscribers can take advantage of eight hard-coded email templates, with subject lines like \u201cVoicemail from [with room for a name]\u201d, \u201cSignature Required,\u201d \u201cInvoice #INV,\u201d, \u201cDocument Shared,\u201d and \u201cAccount notification for [with room for an email address].\u201d<\/p>\n

Arctic Wolf said it has also seen cases where, after gaining initial access, the threat actor created malicious inbox rules within Microsoft 365, configuring rules that automatically moved emails containing keywords such as \u201cspam,\u201d \u201cphish,\u201d \u201cclick,\u201d \u201clink,\u201d and \u201cSharePoint\u201d to a separate folder and marked them as read. This behavior effectively suppressed security-related notifications and warnings to the user, enabling the threat actor to maintain access while reducing the likelihood of detection.<\/p>\n

In device code mode, victims are redirected to an obfuscated landing page that is designed to only render in a real browser session. Upon page load, the Kali365 backend dynamically generates a legitimate Microsoft OAuth device code.<\/strong><\/p>\n

According to the FBI, the attack then works like many other phishing scams: An attacker sends a phishing email with a message that includes a link to a legitimate Microsoft verification page, and instructions to enter the generated code. This code authorizes the attacker\u2019s device to access the victim\u2019s account. The Kali365 backend then captures OAuth access and refresh tokens, giving the threat actor access to the targeted individual\u2019s\/entity\u2019s Microsoft 365 account, including Outlook, Teams, and OneDrive, until the compromise is detected and the tokens revoked. Using those tokens, the attacker doesn\u2019t need to enter a password or complete any additional MFA challenges.<\/p>\n

In some cases, Arctic Wolf added, following token acquisition, the threat actor would use the authenticated session to register an additional device within the victim\u2019s Microsoft environment. This step extended access beyond the initial token by establishing a trusted device association tied to the compromised account.<\/p>\n

Mitigation<\/h2>\n

In its alert, the FBI urged Microsoft 365 admins to restrict device code flow, since limiting or blocking device authentication codes can help prevent or minimize this style of attack. They should also create conditional access policies to block device code flow for all users, with limited exceptions for required business processes; audit existing device code flow usage to identify legitimate dependencies before creating a conditional access policy; and block authentication transfer policies to prevent users from transferring authentication from computers to mobile devices.<\/p>\n

If an admin cannot completely restrict device code flow usage, the FBI says they should exclude emergency access accounts to prevent lockouts.<\/p>\n

Christopher Kayser<\/a>, CEO at Cybercrime Analytics and author of the book Cybercrime Through Social Engineering<\/em>, said IT departments must find ways to reinforce to employees that they should not be quick to click on communications that seem unusual or potentially fraudulent. And it\u2019s not just ordinary employees who can be hit by phishing scams, he pointed out. Higher levels of management with authority to transfer funds are targeted by business email compromise (BEC) scams.<\/p>\n

Typically, he added, when signing into M365, users aren\u2019t asked to input a code; they should be reminded that an email that asks for a code should be a red flag that triggers a call to the IT department.<\/p>\n

Identity-centric security is key<\/h2>\n

Fritz Jean-Louis<\/a>, principal cybersecurity advisor at Info-Tech Research Group, said defenders should shift to identity-centric security and\u00a0treat phishing primarily as an identity compromise risk.<\/p>\n

This not only means enforcing phishing-resistant MFA through passkeys or other FIDO2 approved login measures, but also strengthening session controls, and monitoring for anomalous authentication behavior, including token misuse and suspicious OAuth activity.<\/p>\n

Admins should also adopt continuous access evaluation, moving beyond point-in-time authentication by dynamically assessing user and device risk throughout active sessions, enabling real-time response to evolving threats.<\/p>\n

In addition, responders should leverage behavioral signals by\u00a0measuring activity and encouraging users to report suspect behavior, and incorporating human telemetry, such reporting speed and interaction patterns, into detection strategies.<\/p>\n

Jean-Louis said admins also need to reduce their organization\u2019s blast radius by\u00a0implementing stronger outbound monitoring, automated containment triggers, and tighter controls on account misuse, to limit lateral spread.<\/p>\n

Finally, he recommended that admins segment high-risk users and functions by\u00a0applying enhanced security controls and providing isolated environments for executives, finance, and privileged IT roles.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Cybersecurity experts are warning enterprise admins about an increasing number of phishing campaigns aimed at stealing Microsoft 365 (M365) access tokens to bypass multifactor authentication login protection. Phishing kits aimed at capturing M365 tokens aren\u2019t new; some reports say these kits have been around since 2021. One of the latest is EvilTokens, which researchers at […]<\/p>\n","protected":false},"author":0,"featured_media":8263,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8262","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8262"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8262"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8262\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8263"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8262"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8262"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8262"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}