Attackers Find a New Way Into Microsoft 365

Permission granted.
Elizabeth Rigsby
Contributing Writer
two phishing toolkits, Jalisco, Reliaquest, OmegaLord, phishing, Microsoft 365, PhaaS, password

Stealing passwords is no longer the only way into a Microsoft 365 account. Researchers at ReliaQuest have identified two phishing toolkits, Jalisco and OmegaLord, that use techniques designed to get around multi-factor authentication (MFA) by targeting the authentication process itself.

Jalisco exploits Microsoft’s OAuth device authorization flow to gain account access without collecting usernames or passwords. OmegaLord takes a more traditional phishing approach, posing as a PDF reader to collect login credentials and phone numbers that could be be used during the authentication process.

The findings come as AI-powered phishing-as-a-service (PhaaS) tools become more widely available. According to ReliaQuest, these services can automate phishing page creation, imitate trusted brands, and simplify the process of launching phishing campaigns.

Why It Matters: MFA has become a standard part of enterprise security, but these phishing campaigns are designed to work around it instead of breaking it. As organizations continue to rely on Microsoft 365, the report puts more attention on identity controls, OAuth permissions, and what happens after a user successfully signs in.

  • Jalisco Exploits Microsoft’s Device Authorization Flow: Unlike traditional phishing kits that rely on stolen credentials, Jalisco abuses Microsoft’s OAuth 2.0 Device Authorization Grant flow, a feature designed for devices with limited input capabilities. Victims are prompted to enter an attacker-generated device code on Microsoft’s legitimate sign-in page, allowing Microsoft to issue OAuth access and refresh tokens directly to the attacker. ReliaQuest also found the toolkit generates fresh device codes in real time, avoiding Microsoft’s 15-minute expiration window and helping attackers keep phishing attempts active longer.
  • Rogue Device Registration Makes Recovery More Difficult: After gaining access to an account, attackers have been observed registering multiple unauthorized devices within Microsoft Entra ID. Those devices can continue requesting refreshed authentication tokens even after passwords have been reset, meaning recovery often involves more than changing credentials. ReliaQuest also observed attackers moving into SharePoint and other SaaS applications within minutes, looking for customer records, financial documents, and internal communications before exfiltrating data and using it to support extortion attempts.
  • OmegaLord Takes Aim at MFA: OmegaLord presents a fake PDF reader login page that collects email addresses, passwords, and phone numbers. ReliaQuest believes the phone number collection is intended to help attackers intercept or manipulate MFA verification after credentials have been captured. The toolkit offers another example of attackers adapting phishing campaigns to account for modern authentication controls.
  • AI Is Changing How Phishing Campaigns Are Built: Jalisco is part of a growing ecosystem of AI-powered phishing-as-a-service (PhaaS) tools that automate much of the work involved in building phishing campaigns. Some kits can recreate an organization’s branding from a single website and host phishing pages on legitimate cloud development platforms such as workers.dev and edgeone.app, making malicious sites harder to distinguish from legitimate services. According to ReliaQuest, phishing activity increased 1,380% between late 2025 and early 2026 as these tools became more widely available.
  • Identity Security Receives Greater Attention: ReliaQuest recommends disabling device code authentication unless there is a business need, reviewing OAuth application permissions, lowering Microsoft Entra ID’s default device registration limit, and restricting who can register new devices. The report also recommends auditing application registrations and Conditional Access policies to reduce opportunities for attackers to establish persistent access through Microsoft 365 identities.

Go Deeper -> New phishing kits target Microsoft 365 accounts, evade MFA – BleepingComputer

The Jalisco Toolkit and AI-Powered Phishing Surge – ReliaQuest

Trusted insights for technology leaders

Our readers are CIOs, CTOs, and senior IT executives who rely on The National CIO Review for smart, curated takes on the trends shaping the enterprise, from GenAI to cybersecurity and beyond.

Subscribe to our 4x a week newsletter to keep up with the insights that matter.

☀️ Subscribe to the Early Morning Byte! Begin your day informed, engaged, and ready to lead with the latest in technology news and thought leadership.

☀️ Your latest edition of the Early Morning Byte is here! Kickstart your day informed, engaged, and ready to lead with the latest in technology news and thought leadership.

ADVERTISEMENT

×
You have free article(s) left this month courtesy of the CIO Professional Network.

Enter your username and password to access premium features.

Don’t have an account? Join the community.

Would You Like To Save Articles?

Enter your username and password to access premium features.

Don’t have an account? Join the community.

Thanks for subscribing!

We’re excited to have you on board. Stay tuned for the latest technology news delivered straight to your inbox.

Save My Spot For TNCR LIVE!

Thursday April 18th

9 AM Pacific / 11 PM Central / 12 PM Eastern

Register for Unlimited Access

Already a member?

Digital Monthly

$12.00/ month

Billed Monthly

Digital Annual

$10.00/ month

Billed Annually

Would You Like To Save Books?

Enter your username and password to access premium features.

Don’t have an account? Join the community.

Log In To Access Premium Features

Sign Up For A Free Account

Name
Newsletters