toxIQ Security
05/28/2026
FBI Warns of New Attack That Lets Hackers Break Into Outlook, Teams, and OneDrive — Even With MFA Enabled
The FBI has issued an urgent alert about a fast‑growing cyberattack campaign targeting Microsoft 365 users. The threat, known as Kali365, is a Phishing‑as‑a‑Service platform that allows attackers to break into Outlook, Teams, OneDrive, and other Microsoft cloud services without needing passwords or MFA codes.
This attack is spreading quickly across businesses, schools, and government organizations — and it works by abusing a legitimate Microsoft authentication feature that most people don’t think twice about.
---
How the Attack Works
Kali365 doesn’t try to steal your password. Instead, attackers send a phishing email that looks like a document‑sharing request, voicemail notification, or cloud login prompt. The email includes a device code and instructs the user to enter it on a real Microsoft login page.
That’s the trick.
When the victim enters the code, they unknowingly approve the attacker’s device. The attacker instantly receives valid access tokens, giving them full access to the victim’s Microsoft 365 account — no password, no MFA challenge, no alerts.
Once inside, attackers can:
- Read and send email
- Access OneDrive files
- Join Teams chats
- Steal data or impersonate employees
- Move laterally to other systems
- Set up persistence for long‑term access
Because the login is authorized through Microsoft’s own device‑code flow, it looks legitimate in logs and is difficult for organizations to detect.
---
Why This Threat Is Growing Fast
Kali365 is sold as a subscription service on criminal marketplaces, complete with:
- Prebuilt phishing templates
- AI‑generated lures
- Dashboards showing real‑time victim activity
- Automated token harvesting
In other words, attackers don’t need technical skill — they just need a credit card and a Telegram account.
This is part of a broader trend: token‑based attacks are replacing password‑based attacks, and MFA alone is no longer enough.
---
What Organizations Should Do Now
The FBI recommends several immediate steps to reduce exposure:
1. Restrict or disable device‑code authentication
Most organizations don’t need it. If you do, limit it to specific apps or trusted devices.
2. Review Conditional Access policies
Block risky authentication flows and require compliant or managed devices.
3. Monitor for unusual token activity
Look for logins without corresponding MFA prompts or from unexpected locations.
4. Train users on device‑code phishing
Most people have never seen this attack before — which is exactly why it works.
5. Protect break‑glass accounts
Ensure emergency access accounts are excluded from broad restrictions to avoid accidental lockouts.
---
The Bigger Picture
Kali365 is a reminder that attackers are shifting away from stealing credentials and toward stealing trust — abusing legitimate authentication flows to bypass security controls.
For organizations, this means:
- MFA is necessary but not sufficient
- Token‑based attacks must be part of threat modeling
- Conditional Access is now a frontline defense
- User training must evolve beyond “don’t click suspicious links”
This is a moment for businesses to reassess how they secure Microsoft 365 and whether their controls match today’s threat landscape.
Alabama Local News, Breaking News, Sports & Weather Get the latest Alabama local news, sports, weather, entertainment and breaking updates on al.com
Every company has a plan… until something breaks. Resilience isn’t built in the crisis, it’s built long before it.
03/21/2026
toxIQ Security provides comprehensive technology services designed to help small and mid‑sized businesses operate smoothly, efficiently, and confidently.
We are headquartered in the Lehigh Valley, PA!
Our team delivers end‑to‑end support across IT management, technical consulting, professional services, and software development. We assist organizations with day‑to‑day IT operations, system maintenance, network support, cloud services, hardware and software deployments, and ongoing technical troubleshooting.
Beyond support, we offer strategic guidance to help businesses modernize their technology, streamline processes, improve reliability, and adopt solutions that scale with growth. Our professional services include project planning, infrastructure upgrades, system integrations, and operational improvement initiatives. We also develop custom software and tools tailored to unique business needs.
Whether a business needs hands‑on IT support, expert consulting, or specialized technical services, toxIQ provides dependable, local, and professional solutions built to keep operations running at their best.
03/19/2026
If you’ve found your way to our page, welcome — we’re glad you’re here.
We share updates, insights, and real‑world security stories, but there’s even more waiting for you on our website.
From our services to how we help protect small and midsize businesses, you’ll find much deeper information there.
Take a look and get to know what toxIQ Security is all about.
🚨 The Fake VPN Crisis No One Is Talking About — And It’s Exploding Right Now
Cybercriminals just pulled off one of the most quietly devastating attacks of the year — and almost nobody outside the security world even realizes it happened.
A threat group known as Storm‑2561 has launched a massive credential‑theft campaign by doing something shockingly simple:
They’re creating fake VPN clients and tricking people into downloading them.
Not through shady pop‑ups.
Not through obvious scam emails.
But through SEO poisoning — meaning these fake VPN installers are showing up at the top of Google search results.
Let that sink in.
People searching for “VPN download,” “secure VPN,” or even specific vendor names are being funneled to trojanized installers that look legitimate, behave legitimate, and even pass casual security checks.
But behind the scenes, they’re stealing:
- Corporate credentials
- MFA tokens
- Browser‑stored passwords
- Session cookies
- And in some cases, full device access
This isn’t amateur hour.
This is precision‑engineered credential harvesting.
And once attackers get those VPN credentials?
They walk straight into corporate networks as if they belong there.
No alarms.
No brute‑force attempts.
No phishing emails to trace.
Just… access.
---
Why This Attack Is So Dangerous
Because it weaponizes trust.
People trust search results.
People trust VPNs.
People trust “download now” buttons.
Storm‑2561 knows that.
And they’re exploiting it at scale.
This is the kind of attack that doesn’t just hit big companies — it hits everyone:
- Remote workers
- Small businesses
- IT admins
- Students
- Anyone who installs a VPN without verifying the source
And once those credentials are gone, the attacker doesn’t need malware anymore.
They have the keys to the kingdom.
---
What You Should Do Right Now
If you or your employees have downloaded a VPN client in the past 30 days, especially from a search result:
- Verify the installer hash
- Reinstall from the vendor’s official site
- Reset VPN credentials
- Rotate MFA
- Check for unusual logins
This is not a drill.
This is happening right now, and it’s spreading fast.
03/13/2026
When attackers see more of your network than you do, shutdowns like this become inevitable. Visibility changes everything.
https://www.linkedin.com/posts/toxiq-security-8aaa683b6_home-activity-7437855912251527168-7E5Y?utm_source=share&utm_medium=member_desktop&rcm=ACoAAGWauQIBlAAF30Rh5vQwNztbT3uz3M49k6M
HOME | Toxiq Security Cyber Criminal take down LCCC March 12, 2026 by: toxIQ Security LLC Lehigh Carbon Community College (LCCC) faced a major IT disruption starting March 4, 2026, caused by a confirmed data breach. Campuses closed, classes shifted online, and key internal systems shut down—highlighting why organizatio...
CVE-2026-1731
Do you want to know what we’ve been working on?
Most people see a CVE alert and it might as well be written in another language — long codes, technical jargon, and numbers that don’t mean anything to everyday users. Security engineers can read it instantly, but most people don’t realize it’s often saying, “someone can break in right now.”
CVE‑2026‑1731 is a perfect example: a flaw so serious an attacker doesn’t even need a password to take over a system. It is rated a 9.9 out of a score of 10! This is exactly why the toxIQ Scanner exists — it turns that confusing world into clear, actionable warnings. No more guessing.
---------------------------------
CVE Dictionary Entry: CVE-2026-1731
NVD Published Date: 02/06/2026
NVD Last Modified: 02/13/2026
Source: BeyondTrust
CVSS-B 9.9 CRITICAL
Description
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code ex*****on vulnerability. By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user.
Vulnerability Name: BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) OS Command Injection Vulnerability
Date Added: 02/13/2026
Required Actions: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Small and mid‑sized businesses are facing a new wave of cyber threats — and the latest breach is a reminder of how quickly one overlooked system can put an entire network at risk.
Just last week, the Warlock ransomware group breached SmarterTools by exploiting a single unpatched SmarterMail server, eventually impacting multiple Windows servers and even hosted customer environments. The attackers quietly gained access, waited several days, then deployed ransomware and additional payloads — a pattern that’s becoming increasingly common for SMB‑focused attacks.
For many small businesses, this is the nightmare scenario:
One forgotten update. One exposed service. One breach that spreads across the network.
At toxIQ Security, we believe SMBs deserve simple, reliable visibility into what’s happening on their networks — without needing a full‑time security team or enterprise‑grade budget.
The toxIQ Scanner is built for exactly this:
- Clear, real‑time detection
- No‑nonsense alerts
- Plug‑and‑play setup
- Designed specifically for SMB networks
Cyber threats aren’t slowing down. But with the right visibility, you can stay ahead of them.
Stay aware. Stay protected. Stay in control.
— toxIQ Security
02/15/2026
Follow us to learn more about our toxIQ Scanner, soon to be released!
https://youtu.be/dw4MWuDQ0Bc?si=WPUzKZzDf4xOo1sV
toxIQ Scanner Hype Video Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
Click here to claim your Sponsored Listing.
Category
Website
Address
Nazareth, PA
18064