[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$faZgNuU4a3oWTf3rSCJSr_DccC2LNTlmsY0Ut1O00nn8":3},{"article":4,"iocs":49},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"b1200d0c-2818-4d21-99da-9ff09b721925","New phishing kits target Microsoft 365 accounts, evade MFA","new-phishing-kits-target-microsoft-365-accounts-evade-mfa-4a1fc4","Two new phishing kits, Jalisco and OmegaLord, have been discovered in attacks targeting Microsoft 365 accounts, using techniques that defeat multi-factor authentication (MFA). [...]","Researchers at ReliaQuest discovered two new phishing kits—Jalisco and OmegaLord—designed to compromise Microsoft 365 accounts while defeating multi-factor authentication. Jalisco exploits the OAuth 2.0 Device Authorization Grant flow to trick users into authorizing attacker-controlled devices, while OmegaLord masquerades as a PDF reader to steal credentials and phone numbers. Both toolkits represent evolving phishing tactics that directly target MFA protections, with attackers exfiltrating sensitive data from compromised accounts in minutes.","Two phishing kits, Jalisco and OmegaLord, target Microsoft 365 accounts with MFA-bypass techniques.","New phishing kits target Microsoft 365 accounts, evade MFA By Bill Toulas July 14, 2026 08:49 AM 0 Two new phishing kits, Jalisco and OmegaLord, have been discovered in attacks targeting Microsoft 365 accounts, using techniques that defeat multi-factor authentication (MFA). While Jalisco uses the device-code phishing method, OmegaLord masquerades as a PDF reader to collect account login credentials and associated phone numbers, which could help the attacker intercept or hijack MFA requests or codes. Both phishing toolkits were analyzed by researchers at cybersecurity firm ReliaQuest, who note that while device-code phishing has become increasingly common, traditional phishing techniques continue to evolve to bypass modern defenses. The device code phishing technique abuses the OAuth 2.0 Device Authorization Grant flow by tricking victims into authorizing an attacker-controlled device to access their Microsoft account. The attack typically begins when the threat actor initiates a sign-in request to a Microsoft service, such as Microsoft 365, prompting the platform to generate a device authorization code. Using social engineering, the attacker convinces the victim to sign in to the legitimate Microsoft login page and enter the authorization code, thereby approving the attacker-controlled device. Once the device is authorized, the attacker can access the victim's account without ever needing their username or password. The Jalisco toolkit generates fresh Microsoft OAuth device codes automatically when a victim opens the phishing page. Malicious authentication promptSource: ReliaQuest By provisioning the codes in real-time, the phishing toolkit bypasses Microsoft’s 15-minute validity for device codes specifically to fight device-code phishing attacks. Jalisco also includes a web portal where its operators can manage captured sessions and compromised accounts, the researchers say. ReliaQuest notes that in some cases, it has seen attackers register five rogue devices on a single compromised account, sometimes using seemingly benign names containing “Microsoft” or “Windows” to lower suspicion. After compromising an account, attackers search SharePoint and other SaaS services for valuable data and exfiltrate it within a few minutes, then follow up with extortion demands and threaten to leak it. “Threat actors use compromised accounts to access sensitive data, such as customer or employee personally identifiable information (PII), financial records, and internal communications stored in SharePoint and other SaaS platforms,” ReliaQuest says. “Exfiltration typically occurs quickly, in as little as six minutes, before defenders have identified the breach.” OmegaLord is a more conventional phishing tool that uses a fake PDF Reader login page to steal email addresses, passwords, and phone numbers, likely intended to help attackers bypass MFA protections. OmegaLord phishing promptSource: ReliaQuest \"The explicit targeting of phone numbers is another example - alongside device code phishing - of how threat actors are directly engineering around MFA as a control,\" ReliaQuest researchers note. The Jalisco phishing kit is yet another tool that relies on the device-code method to obtain access to victims' accounts, along with EvilTokens, Kali365, Tycoon2FA, Venom, and Forg365. ReliaQuest recommends that the Entra ID device-registration limit be reduced from the default value of ‘50’ down to one or two, which would also help reduce response and remediation times in case of account hijack incidents. Additionally, it is recommended to block device code authentication through Microsoft Entra Conditional Access, restrict the OAuth Device Authorization grant in Okta, and audit and remove unnecessary app registrations. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: Bluekit phishing kit adopts browser-in-the-middle for login theftNew Forg365 phishing platform uses AI to target Microsoft 365 accountsEntra passkey enrollment vishing targets Microsoft 365 usersWebinar tomorrow: Why modern email attacks require a new approach to defenseFBI disrupts massive AI-powered phishing service using a million URLs","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fnew-phishing-kits-target-microsoft-365-accounts-evade-mfa\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F15\u002FMS365.jpg","2026-07-14T12:49:00+00:00","2026-07-14T14:00:18.052408+00:00",9,[18,21,23,25,28,31],{"name":19,"type":20},"Microsoft 365","product",{"name":22,"type":20},"Microsoft Entra ID",{"name":24,"type":20},"Okta",{"name":26,"type":27},"ReliaQuest","vendor",{"name":29,"type":30},"OAuth 2.0 Device Authorization Grant","technology",{"name":32,"type":30},"SharePoint","2c8f44d4-b56e-47cf-9677-04f22c9ee78d",{"id":33,"icon":35,"name":36,"slug":37},null,"Identity & Access","identity-access",[39,44],{"category":40},{"id":41,"icon":35,"name":42,"slug":43},"574f766a-fb3f-487c-8d2c-0720ae75471b","Zero-day","zero-day",{"category":45},{"id":46,"icon":35,"name":47,"slug":48},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",[50,53,56,59,61,63,65],{"type":48,"value":51,"context":52},"Jalisco","Phishing kit exploiting OAuth 2.0 Device Authorization Grant to bypass MFA on Microsoft 365",{"type":48,"value":54,"context":55},"OmegaLord","Phishing kit masquerading as PDF reader to steal credentials and phone numbers for MFA bypass",{"type":48,"value":57,"context":58},"EvilTokens","Related phishing kit using device-code phishing method",{"type":48,"value":60,"context":58},"Kali365",{"type":48,"value":62,"context":58},"Tycoon2FA",{"type":48,"value":64,"context":58},"Venom",{"type":48,"value":66,"context":58},"Forg365"]