SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom
Phishing toolkits target Microsoft 365 MFA in surge

Phishing toolkits target Microsoft 365 MFA in surge

Wed, 15th Jul 2026 (Today)
Mark Tarre
MARK TARRE News Chief

ReliaQuest has identified two phishing toolkits, Jalisco and OmegaLord, during investigations into campaigns targeting Microsoft 365 environments.

Jalisco is a device code phishing toolkit that generates fresh OAuth codes in real time, while OmegaLord is a JavaScript-based credential harvester that collects phone numbers alongside usernames and passwords.

The findings point to a broader shift in phishing activity, with attackers using more specialised tools and AI-assisted kits to bypass multi-factor authentication rather than simply steal credentials. The change matters because many organisations have treated MFA as a stronger safeguard against account takeover, particularly in cloud software environments such as Microsoft 365.

Device code phishing has drawn growing attention because it does not depend on capturing a victim's password. Instead, a user is tricked into completing a legitimate sign-in flow on an attacker's behalf, allowing the attacker to obtain access and refresh tokens tied to the account.

In Jalisco's case, the toolkit uses what ReliaQuest described as lure generation. Instead of embedding a static device code in a phishing page, it calls a backend application programming interface to create a fresh code when the target lands on the page.

That approach undermines a basic timing control in the device code process. Device codes typically expire after a short period, which can limit the usefulness of phishing pages that rely on pre-generated codes. A code issued in real time removes much of that constraint.

Jalisco also includes a web portal for managing captured sessions and accessing compromised accounts. ReliaQuest said the combination of real-time code generation and session management shows phishing infrastructure is becoming more organised and easier to use.

OmegaLord reflects a different route to the same goal. The toolkit presents a fake PDF reader login page and asks targets for an email address, password and phone number, adding a data point that could help attackers intercept or take over MFA prompts.

Requesting a phone number is not standard for a basic credential-harvesting page. Its inclusion suggests attackers are adapting conventional phishing methods to work around authentication protections that depend on text messages or mobile-based verification.

Persistence risk

One of the more serious issues in device code phishing is what happens after the initial compromise. Because attackers obtain tokens rather than passwords, an organisation cannot rely on a password reset alone to remove access.

The report said attackers have been enrolling their own devices into a victim's Microsoft Entra ID tenant after gaining access. That step can provide a Primary Refresh Token, allowing access to continue while the enrolled device remains active.

ReliaQuest said it has observed attackers registering more than five devices to a single compromised account, above the one or two devices more commonly seen. The devices often carry names intended to look legitimate, including labels beginning with terms such as microsoft or WINDOWS.

This makes clean-up harder for incident response teams. Defenders must identify and remove each rogue enrolled device before they can be confident the account is secure, extending the time available for data theft.

Attackers often move quickly to take information from SharePoint and other software-as-a-service platforms once inside an account. ReliaQuest said data theft can begin within minutes of compromise, putting customer records, employee information, financial data and internal communications at risk.

Broader ecosystem

ReliaQuest linked the emergence of Jalisco and OmegaLord to a broader phishing-as-a-service market that has become easier to access. AI-assisted kits including EvilTokens, Kali365, Tycoon2fa, Venom and Darcula are helping less skilled threat actors launch persuasive campaigns at scale.

These kits can imitate a target organisation's branding from a single web address, reproducing logos, images and layouts with limited manual work. They are also hosted on legitimate developer infrastructure, including workers.dev and edgeone.app, which can make them harder for traditional filtering tools to block.

Because such services have valid commercial uses, phishing pages hosted on them can blend into normal internet traffic. That creates a challenge for security teams that still depend heavily on signature-based detection in email gateways or web filtering systems.

ReliaQuest said this shift has coincided with a 1,380% increase in phishing activity between late 2025 and early 2026. The rise suggests phishing operations are becoming more automated, while the cost and expertise needed to launch them are falling.

Defensive steps

The clearest recommendation is to disable device code authentication by default in Microsoft Entra ID through a Conditional Access policy that blocks all users and cloud applications. Exceptions should be tightly limited to accounts with a documented operational requirement.

ReliaQuest also advised organisations to review application registrations and remove unnecessary device authorisation grants, and to reduce the number of devices users are allowed to register. Restricting device registration to a small approved group could limit the foothold available to an attacker after an account has been compromised.

The findings indicate that attackers are no longer focused only on stealing passwords. They are now targeting the authentication process itself and building tools designed to get around controls many companies have treated as a last line of defence.

ReliaQuest said the device code flow has few legitimate use cases for most users in most environments, so blocking it by default removes the authentication path these campaigns depend on.