FBI Warns: Kali365 PhaaS Bypasses MFA, Targets Microsoft 365

The FBI’s warning about the Kali365 phishing-as-a-service (PhaaS) platform represents today’s most immediate and pervasive threat. This sophisticated service enables attackers to hijack Microsoft 365 accounts by abusing the OAuth device code authentication flow, allowing them to steal session tokens and completely bypass multi-factor authentication (MFA). The commoditization of this high-impact attack lowers the barrier to entry for threat actors, putting every organization using Microsoft’s ecosystem at heightened risk of credential theft and business email compromise.

The Expanding Attack Surface: From Linux Kernels to Medical Software

While phishing dominates the threat landscape, foundational vulnerabilities in critical software demand urgent attention. Two significant Linux kernel flaws, CVE-2024-1086 and CVE-2024-26925, remain active priorities. These vulnerabilities, if unpatched, provide attackers with a path to system compromise. In the healthcare sector, a critical flaw in OpenEMR, CVE-2026-24849, allows any authenticated user to read arbitrary files from the server. With a CVSS score likely in the high range, this vulnerability in a widely used electronic health records system poses a direct threat to sensitive patient data and requires immediate remediation by upgrading to version 7.0.4 or later.

Geopolitical Infrastructure and Unvetted AI Models Compound Risk

Cyber threats are increasingly intertwined with geopolitical conflict. The Dutch seizure of 800 servers and arrest of two hosting providers for aiding Russian cyberattacks highlights the role of compliant infrastructure in modern campaigns. Organizations must scrutinize their network traffic for connections to providers like Stark Industries Solutions (AS211321). Concurrently, the impending public rollout of Anthropic’s restricted ‘Mythos’ AI model introduces a new class of risk. Announced as posing major security risks to software, this underscores the danger of deploying powerful, unvetted AI in production environments without proper security controls and network segmentation.

Actionable Defense: Identity, Patching, and Monitoring

Defense starts with hardening identity systems. For the Kali365 threat, configure Microsoft Entra ID conditional access policies to block the device code authentication flow from untrusted locations and enforce strict session token lifetimes. Enable Microsoft Defender for Identity to detect anomalous token usage. For infrastructure, prioritize patching the listed Linux kernel CVEs and the OpenEMR vulnerability CVE-2026-24849. Finally, implement proactive monitoring: use threat intelligence to block traffic to malicious ASNs, deploy tools like GitHub Advanced Security to scan for accidentally exposed credentials, and ensure robust logging is in place with AWS CloudTrail to detect unauthorized access.

Organizations must move beyond reactive patching. The convergence of sophisticated PhaaS, unpatched high-severity vulnerabilities, and emerging threats from AI and state-aligned infrastructure requires a layered defense strategy focused on identity protection, rapid remediation, and continuous threat exposure management.