← Back to Daily Briefing

The FBI has issued a critical alert regarding the Kali365 phishing kit, a sophisticated tool designed to compromise enterprise cloud environments. Utilizing Adversary-in-the-Middle (AiTM) techniques, the kit intercepts authentication traffic to harvest credentials and steal active session tokens, effectively bypassing multi-factor authentication (MFA) protocols. The campaign specifically targets Microsoft 365 (Outlook, Teams, OneDrive), Amazon Web Services (AWS), and Okta identity providers. Successful exploitation grants threat actors deep access to corporate communications and critical cloud infrastructure, enabling large-scale data exfiltration and the compromise of organizational identity management systems.

  • Incident Overview: High-Severity Phishing Campaign

    • FBI-issued urgent warning concerning the proliferation of the "Kali365" phishing kit.
    • Targeted ecosystem includes critical SaaS and IaaS providers: Microsoft 365, AWS, and Okta.
    • Primary goal is the unauthorized acquisition of high-privilege administrative and user accounts.
  • Attack Vector: AiTM and MFA Bypass Mechanics

    • Employs Adversary-in-the-Middle (AiTM) proxies to mirror legitimate login pages in real-time.
    • Captures usernames and passwords alongside session cookies and tokens during the authentication flow.
    • Neutralizes MFA by reusing intercepted session tokens, bypassing the requirement for a second factor.
  • Impact: Infrastructure and Data Compromise

    • Direct unauthorized access to sensitive corporate repositories including OneDrive, Teams, and Outlook.
    • Potential for lateral movement within AWS cloud environments and Okta identity tenants.
    • Critical risk of sensitive data exfiltration and compromise of organizational identity integrity.
  • Defensive Actions: Mitigation and Detection

    • Transition to FIDO2-compliant hardware security keys to eliminate susceptibility to AiTM session theft.
    • Implement strict conditional access policies to restrict logins based on device compliance and known geolocations.
    • Conduct aggressive auditing of session logs for anomalous token usage or suspicious IP rotations.
  • Conclusion: Evolving Threat Landscape

    • Kali365 demonstrates the diminishing efficacy of traditional SMS and app-based MFA against proxy-based attacks.
    • Highlights the urgent necessity of migrating to "phishing-resistant" authentication across all enterprise cloud gateways.

Related posts

  1. Halilozturkci
  2. SOCFortress — Kali365 Industrializes Session Hijacking to Bypass Microsoft’s Perimeter
  3. Thehackernews
  4. Ic3
  5. Cybersecuritydive
  6. bleepingcomputer.com — Why the browser is now the front line for AI security
  7. Livenowfox
  8. Cioinfluence
  9. Malwarebytes
  10. Kiplinger
  11. Govtech
  12. techjacksolutions.com — VENOM PhaaS Platform Targets C-Suite Credentials via AiTM and Device-Code Phishing to Bypass MFA
  13. techjacksolutions.com — Device Code Phishing Goes Mainstream: 37x Surge Signals PhaaS Maturity Threatening Identity Infrastructure
  14. Medium
  15. Windowsforum
  16. Americanbanker
  17. Bitdefender
  18. Areteir
  19. Abnormal
  20. Infosecurity-magazine
  21. Gblock
  22. Clearphish
  23. Eye
  24. Thaicert
  25. Microsoft
  26. Redsift
  27. Huntress
  28. levelblue.com — The Device Code Phishing Tsunami: What We’re Seeing in the Wild
  29. Pushsecurity
  30. Paubox
  31. Cyberscoop
  32. Proofpoint

LINK COPIED TO CLIPBOARD