Part of the ongoing Big Tech's War on Users series.The FBI issued a warning last week about a phishing-as-a-service platform called Kali365 that can completely bypass multi-factor authentication on Microsoft 365 accounts. Not by breaking MFA. By going around it entirely — using a legitimate Microsoft feature against you.Before I get into how, let me set the stage on why this one stings more than the average security story.Look, the whole industry has been on a years-long MFA crusade. Your bank, your gaming platform, random retail apps, services where the actual threat model doesn't come close to justifying the friction. Everything and its mother is pushing MFA now, and increasingly pushing passwordless on top of that — something I've already gone into at length — sometimes for accounts that contain nothing worth stealing, because some product manager needed to hit a security compliance checkbox. The nagging is universal at this point.But Microsoft took it further than most. What…
No comments yet. Log in to reply on the Fediverse. Comments will appear here.