New Phishing Kits Jalisco and OmegaLord Bypass Microsoft 365 MFA
Two sophisticated phishing kits, **Jalisco** and **OmegaLord**, are actively targeting **Microsoft 365** accounts, employing advanced techniques to bypass multi-factor authentication (MFA). Cybersecurity firm **ReliaQuest** has analyzed these threats, highlighting the evolving landscape of credential theft and account compromise.
Cybersecurity firm **ReliaQuest** has uncovered two new phishing kits, **Jalisco** and **OmegaLord**, which are specifically designed to compromise **Microsoft 365** accounts and circumvent multi-factor authentication (MFA).
### Jalisco: The Device-Code Phishing Specialist
**Jalisco** leverages the OAuth 2.0 Device Authorization Grant flow, a technique known as device-code phishing. This method tricks victims into authorizing an attacker-controlled device to access their **Microsoft** account without directly stealing their username or password.
The attack unfolds when a threat actor initiates a sign-in request to a **Microsoft** service, generating a device authorization code. Through social engineering, the victim is then persuaded to enter this code on a legitimate **Microsoft** login page, inadvertently approving the attacker's device.
**Jalisco** is particularly insidious because it automatically generates fresh **Microsoft** OAuth device codes in real-time when a victim accesses the phishing page. This bypasses **Microsoft**'s 15-minute validity window for device codes, a measure implemented to combat such attacks.

**ReliaQuest** researchers note that **Jalisco** includes a web portal for operators to manage captured sessions and compromised accounts. In some instances, attackers have registered up to five rogue devices on a single compromised account, often using deceptive names like βMicrosoftβ or βWindowsβ to avoid suspicion.
Once an account is compromised, attackers rapidly exfiltrate valuable data from **SharePoint** and other SaaS services, sometimes within minutes. This data is then used for extortion, with threats of public leakage.
"Threat actors use compromised accounts to access sensitive data, such as customer or employee personally identifiable information (PII), financial records, and internal communications stored in **SharePoint** and other SaaS platforms," **ReliaQuest** states. "Exfiltration typically occurs quickly, in as little as six minutes, before defenders have identified the breach."
### OmegaLord: Evolving Traditional Phishing
In contrast, **OmegaLord** employs a more traditional phishing approach, presenting a fake PDF Reader login page to steal email addresses, passwords, and crucially, phone numbers. The collection of phone numbers is a clear indication of attackers' intent to intercept or hijack MFA requests and codes.

"The explicit targeting of phone numbers is another example - alongside device code phishing - of how threat actors are directly engineering around MFA as a control," **ReliaQuest** researchers observe.
**Jalisco** joins a growing list of phishing kits that rely on the device-code method, including **EvilTokens**, **Kali365**, **Tycoon2FA**, **Venom**, and **Forg365**.
### Mitigating the Threat
To counter these evolving threats, **ReliaQuest** recommends several proactive measures:
* **Reduce Entra ID Device Registration Limit:** Lower the default **Entra ID** device-registration limit from '50' to one or two. This can significantly reduce response and remediation times during account hijack incidents.
* **Block Device Code Authentication:** Implement **Microsoft Entra Conditional Access** to block device code authentication.
* **Restrict OAuth Device Authorization:** For **Okta** users, restrict the OAuth Device Authorization grant.
* **Audit App Registrations:** Regularly audit and remove any unnecessary app registrations.