NOTE: There are remediations avaialble that we can implement in Microsoft 365 to protect against this threat. If you have any questions, have a suspected hijacked account, or need help with securing your Microsoft 365 services, please send us a request at support@terrapintechnology.com.

The FBI has issued an urgent warning for anyone using Microsoft Teams, Outlook, or OneDrive over a new phishing scheme. It allows a scammer to hijack your M365 user account without stealing your password and bypassing multi-factor authentication.

Unlike traditional phishing attacks that rely on stealing credentials, this new method targets OAuth device codes - digital keys that allow applications to access data without requiring a password. This gives the hijacker access to your M365 account and a wide range of sensitive information.

"Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual-entity tracking dashboards, and OAuth token capture capabilities," the FBI said. 
[LINK to FBI Public Service Announcement]

How Does It Work

A scammer sends you a phishing email, impersonating a trusted cloud service. The email contains a "device code" and directs you to a legitimate Microsoft verification page. When you enter the code, you unknowingly authorize the attacker's device to access your account. The attacker captures the OAuth access and refresh tokens, giving them ongoing access to Outlook, Teams, and OneDrive without needing a password or completing MFA.

How to Protect Yourself

• Do not click on links or attachments in unsolicited emails or text messages.
• Verify requests by calling the company directly using a number you know, not one provided in the message.
• Check email addresses, URLs, and spelling carefully. Scammers use subtle differences to trick you.
• Restrict device code flow in Microsoft 365 (Terrapin can help you do this).
• Use Conditional Access policies to block device authentication codes unless needed for business processes.
• Audit and limit legitimate uses of devices codes.
• Block authentication transfer policies to prevent moving MFA from one device to another.
• Exclude emergency access accounts from device code flow if you cannot fully block it.
• Logout of suspicious devices and change passwords immediately if you suspect a compromise.
• Report incidents to the FBI's Internet Crome Complain Center (IC3) at ic3.gov