Microsoft 365 Users Hit by New Phishing Threat That Evades Multi-Factor Authentication
Device Code Phishing Threat Bypasses MFA on Microsoft 365
The Federal Bureau of Investigation (FBI) has issued a warning regarding a new phishing threat targeting Microsoft 365 users.
Sophisticated Attack Vector
This attack vector, known as device code phishing, involves deceiving victims into authenticating on a legitimate Microsoft verification page, after which the attacker captures OAuth access and refresh tokens. These tokens grant continuous access to Microsoft 365 services like Outlook, Teams, and OneDrive, without necessitating a password or supplementary MFA prompts.
Kali365 Features
- AI-generated phishing lures
- Pre-configured campaign templates
- OAuth token capture capabilities
FBI Guidelines
The FBI has provided guidelines for protecting against device code phishing attacks, advising users to exercise caution when receiving unexpected device codes or authentication requests. Organizations should also implement robust security measures, including regular software updates, employee education, and advanced threat detection systems.
Additional Threats
Researchers have also identified another PhaaS platform, EvilTokens, offered through Telegram. This service provides ready-to-use tools for phishing campaigns, including fake login pages, Microsoft API automation, and AI-generated emails. The most common phishing themes in 2025 included links, QR codes, attachments, and personal information solicitations.
Recent Vulnerabilities
- CVE-2026-42945: Critical vulnerability in NGINX
- CVE-2026-41091 and CVE-2026-45498: Exploited in the wild
Open-Sourced Tools and Breaches
Microsoft has open-sourced tools for designing and testing AI agents, and GitHub and Grafana Labs have experienced breaches linked to a TanStack supply chain compromise.
About Author
English