Advertisement
Security

Evolving Phishing Kits Bypass Modern MFA for Microsoft 365 Access

New toolkits like Jalisco and OmegaLord are using device code flows and credential harvesting to circumvent multi-factor authentication.

··2 hours ago·2 min read
Facebook profile lock screen on a smartphone
Photo by Smartupworld on Unsplash
Advertisement

The landscape of enterprise identity security is shifting as malicious actors pivot toward sophisticated methods of bypassing multi-factor authentication (MFA). Recent activity involving the Jalisco and OmegaLord phishing kits demonstrates a clear intent to exploit the trust inherent in standard authentication flows, leaving organizations vulnerable to rapid data exfiltration.

Weaponizing OAuth Authorization Flows

The Jalisco toolkit centers its operation on the OAuth 2.0 Device Authorization Grant. By tricking users into inputting an authorization code on a legitimate Microsoft login page, attackers gain full access to the victim's account without requiring a password. This bypasses the 15-minute validity window typically applied to device codes by automatically generating fresh tokens for the victim the moment the phishing page is accessed.

The Mechanics of Data Exfiltration

Once inside an environment, attackers often register multiple unauthorized devices under names designed to mimic official Microsoft or Windows services. This persistence allows threat actors to target SharePoint and other SaaS platforms, where they move quickly to extract sensitive information. ReliaQuest notes that this process is highly efficient, often leaving security teams with a very narrow window to respond.

The explicit targeting of phone numbers is another example - alongside device code phishing - of how threat actors are directly engineering around MFA as a control.

— ReliaQuest researchers

Traditional Methods Refined for MFA

While Jalisco leverages modern OAuth flaws, OmegaLord utilizes a more traditional, albeit effective, approach. By masquerading as a PDF reader, the kit captures passwords and phone numbers. This specific focus on contact information suggests that attackers are preparing to intercept MFA requests or facilitate secondary social engineering attacks to finalize their account takeover.

  • The Jalisco kit can register up to 5 rogue devices on a single compromised account.
  • Data exfiltration can occur in as little as 6 minutes after an account is compromised.
  • ReliaQuest recommends reducing the default Entra ID device-registration limit from 50 to 1 or 2.

Hardening Identity Against New Threats

The continued reliance on tools like EvilTokens, Kali365, Tycoon2FA, Venom, and Forg365 signals an industry-wide trend toward subverting authentication protocols. For organizations, the primary defense involves Test every layer before attackers do to ensure that existing safeguards are not bypassed. Beyond reducing device registration limits, administrators should prioritize auditing app registrations and strictly enforcing conditional access policies to block unauthorized device code authentication, significantly raising the barrier for entry for these evolving threats.

#phishing#microsoft 365#mfa#cybersecurity#oauth

Iliyas Mansuree

Founder & Editor, Xploitwire

16 years of experience in data privacy, cloud security, and information protection. More by this author →

← Back to all stories
Advertisement