Sometimes people think that having Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA) enabled automatically makes their device secure from cyberattacks. But it isn’t always that simple, and often it's a bit more complicated.
Of course, it’s still very important to confirm that MFA or 2FA is turned on, as it is a basic security measure, but it doesn’t always guarantee the security of your devices. In this particular case, hackers are banking on you having it enabled.
Last month, the FBI issued an urgent warning about a phishing scam that bypasses MFA completely. No password needed, just a code you type in yourself.
The scam is called Kali365, and it’s a phishing-as-a-service platform sold on Telegram. For $250 a month, anyone can buy it, even hackers with limited skills. It targets Microsoft 365 users: Outlook, Teams, and OneDrive. Once attackers get in, they have full access.
