New phishing kits beat Microsoft’s MFA at its own game.
Researchers at cybersecurity company ReliaQuest have uncovered two phishing toolkits, Jalisco and OmegaLord, that are being used in active campaigns against Microsoft 365 environments.
According to ReliaQuest’s threat research, both toolkits are designed to overcome multi-factor authentication (MFA), but they use different techniques to achieve that goal.
Jalisco relies on device code phishing, a method that abuses Microsoft’s legitimate OAuth device authorization process. Rather than stealing credentials directly, the toolkit tricks victims into authorizing an attacker-controlled device through Microsoft’s real login page, allowing attackers to capture OAuth tokens and gain account access without ever seeing the victim’s credentials.
OmegaLord takes a more traditional phishing approach. Disguised as a PDF reader login page, it steals email addresses and passwords and collects victims’ phone numbers, a tactic researchers believe is intended to help intercept or hijack MFA verification requests.
The discoveries come as phishing campaigns continue to grow throughout 2026, fueled by AI-powered phishing-as-a-service (PhaaS) platforms that make advanced attacks accessible to less-experienced cybercriminals, according to ReliaQuest.
Jalisco removes a key security limitation
ReliaQuest said Jalisco stands out because it automatically generates fresh Microsoft OAuth device codes the moment a victim opens a phishing page.
Unlike older device-code phishing kits that rely on pre-generated codes with a limited lifespan, Jalisco creates new authorization codes in real time. This bypasses Microsoft’s 15-minute expiration window for device codes, reducing one of the built-in safeguards defenders have relied on. The toolkit also includes a management portal that lets attackers organize stolen sessions and compromised Microsoft 365 accounts, making large phishing campaigns easier to run.
“Threat actors use compromised accounts to access sensitive data, such as customer or employee personally identifiable information (PII), financial records, and internal communications stored in SharePoint and other SaaS platforms,” ReliaQuest warned. “Exfiltration typically occurs quickly, in as little as six minutes, before defenders have identified the breach.”
Persistence extends beyond stolen credentials
The report also highlights how attackers are maintaining access after the initial compromise. Because device code phishing captures OAuth tokens instead of passwords, simply forcing a password reset may not remove an attacker from the account.
ReliaQuest said it has recently observed threat actors registering more than five devices to a single compromised Microsoft Entra ID account, often using names resembling legitimate Windows or Microsoft devices to avoid drawing attention.
Those enrolled devices can continue refreshing authentication tokens, allowing attackers to retain access while defenders work to identify and remove every malicious device.
AI is lowering the barrier for phishing attacks
The researchers say the broader phishing ecosystem has become increasingly automated through AI-powered phishing-as-a-service kits.
ReliaQuest identified platforms, including EvilTokens, Kali365, Tycoon2FA, Venom, and Darcula, as phishing services that enable attackers to rapidly build convincing phishing campaigns. Some use artificial intelligence to recreate a target organization’s branding from a single website address, while others host phishing pages on legitimate cloud development platforms such as workers.dev and edgeone.app to make detection more difficult.
According to ReliaQuest, the growing availability of these tools coincides with a 1,380% increase in phishing activity between late 2025 and early 2026.
Must-read security coverage
Defenders are being urged to tighten Microsoft identity controls
ReliaQuest recommended that organizations reduce their exposure by disabling device code authentication wherever it is not required.
The company advises administrators to block device code authentication through Microsoft Entra ID Conditional Access policies, restrict OAuth Device Authorization grants in Okta, audit unnecessary application registrations, and lower the default limit for user device registrations from 50 devices to one or two where operationally possible.
The report also recommended restricting which users can register new devices, making it harder for attackers to establish long-term persistence after compromising an account.
Preparing for the next wave of phishing attacks
The rise of Jalisco and OmegaLord suggests phishing campaigns are becoming more automated, scalable, and focused on identity systems.
The biggest challenge for defenders is that attackers are using legitimate services and authentication features against organizations. Traditional defenses built around detecting fake login pages or stolen passwords may not catch attacks in which users complete the authentication process themselves.
Related News: Businesses should prioritize phishing-resistant authentication methods, such as hardware security keys or other stronger authentication approaches, while reviewing identity settings in Microsoft Entra ID.
Read the full article here