Evolving Phishing Kits Bypass Modern MFA for Microsoft 365 Access
New toolkits like Jalisco and OmegaLord are using device code flows and credential harvesting to circumvent multi-factor authentication.
The landscape of enterprise identity security is shifting as malicious actors pivot toward sophisticated methods of bypassing multi-factor authentication (MFA). Recent activity involving the Jalisco and OmegaLord phishing kits demonstrates a clear intent to exploit the trust inherent in standard authentication flows, leaving organizations vulnerable to rapid data exfiltration.
Weaponizing OAuth Authorization Flows
The Jalisco toolkit centers its operation on the OAuth 2.0 Device Authorization Grant. By tricking users into inputting an authorization code on a legitimate Microsoft login page, attackers gain full access to the victim's account without requiring a password. This bypasses the 15-minute validity window typically applied to device codes by automatically generating fresh tokens for the victim the moment the phishing page is accessed.
The Mechanics of Data Exfiltration
Once inside an environment, attackers often register multiple unauthorized devices under names designed to mimic official Microsoft or Windows services. This persistence allows threat actors to target SharePoint and other SaaS platforms, where they move quickly to extract sensitive information. ReliaQuest notes that this process is highly efficient, often leaving security teams with a very narrow window to respond.
The explicit targeting of phone numbers is another example - alongside device code phishing - of how threat actors are directly engineering around MFA as a control.
— ReliaQuest researchers
Traditional Methods Refined for MFA
While Jalisco leverages modern OAuth flaws, OmegaLord utilizes a more traditional, albeit effective, approach. By masquerading as a PDF reader, the kit captures passwords and phone numbers. This specific focus on contact information suggests that attackers are preparing to intercept MFA requests or facilitate secondary social engineering attacks to finalize their account takeover.
- The Jalisco kit can register up to 5 rogue devices on a single compromised account.
- Data exfiltration can occur in as little as 6 minutes after an account is compromised.
- ReliaQuest recommends reducing the default Entra ID device-registration limit from 50 to 1 or 2.
Hardening Identity Against New Threats
The continued reliance on tools like EvilTokens, Kali365, Tycoon2FA, Venom, and Forg365 signals an industry-wide trend toward subverting authentication protocols. For organizations, the primary defense involves Test every layer before attackers do to ensure that existing safeguards are not bypassed. Beyond reducing device registration limits, administrators should prioritize auditing app registrations and strictly enforcing conditional access policies to block unauthorized device code authentication, significantly raising the barrier for entry for these evolving threats.