Computer hacker scam of the week. The FBI says if you’re a Microsoft user, you need to pay attention.
According to thehill.com,
A new phishing tool is allowing cyber attackers to get access to Microsoft 365 users’ accounts without even needing to know your password, the FBI said in a warning issued to the public on Thursday.
This latest hacker phishing tool is called Kali365 and the FBI says it first showed up in April. For the most part, it’s being distributed to victims by way of a messaging app called Telegram, and it allows the hackers to bypass your multi-factor authentication (MFA).
This is not good.
The whole process starts out as a phishing scam. You get an email from what you think is a trusted source. The document contains what is called a device code along with instructions to visit a legitimate Microsoft authentication page. Once you go to that Microsoft authentication page and paste in the codes given to you, you basically give the hacker complete access to your Microsoft accounts.
Outlook e-mail, Teams messages, OneDrive files, all now up for grabs to the hackers. And they don’t need to know your password or your multi-factor authentication.
You can protect yourself! Here’s what the FBI says you need to do.
“Creating a “conditional access policy,” which will block all users from device code flow, with limited exceptions
Checking who currently has access to code flow usage, making sure they are legitimate
Blocking the ability for users to transfer authentication from computers to mobile devices
Exclude emergency access accounts to prevent lockouts”
Microsoft has a few suggestions of their own.
Make sure your operating system, updates, and applications have their most current updates.
Never open files from an unknown sender.
Learn to spot phishing attempts before they happen, so you don’t get hacked.
Ultimately, you need to learn how to protect yourself.
Be alert for phishing scams. Watch out for new connected apps or permissions you don’t recognize, login alerts from unfamiliar devices or locations, e-mails sent from your Outlook account that you didn’t send, deleted emails or missing messages, password reset notifications you didn’t request, unusual Teams activity or messages, unexpected MFA approval requests or login prompts, and strange inbox rules.
Pay attention and don’t get hacked.
12 Shrewd Email Tactics Hackers Use To Rip You Off
Computer hackers are working full-time nowadays –not only to hold major corporations hostage with ransomware -but they’re also hard at work trying to gain access to private computers and personal information of unsuspecting victims. Surrendering access to these schemers could have disastrous consequences, but sometimes it can be difficult to tell what’s legitimate and what’s not. That’s why I’m sharing 12 emails I’ve personally received that appear to be as bogus as a three-dollar bill.
No doubt, you have received very similar emails in your inbox and wondered if they were legit. A good rule of thumb to follow is when you receive an email from an unverified source – do not, under any circumstance click on anything in the email or download any attachments. That is exactly how hackers can gain instant access to your computer and your information.
Gallery Credit: Zane Mathews