Threat Advisory

Microsoft Entra ID Bypassed by AI-Powered Phishing-as-a-Service Kits

Threat: Phishing Campaign
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Phishing has surged in as AI-powered phishing-as-a-service kits enable attackers to bypass MFA and harvest OAuth tokens at scale. ReliaQuest identified two phishing tools used in the wild: Jalisco, a device code phishing toolkit that provisions fresh OAuth codes in real time, and OmegaLord, a credential harvester that captures phone numbers alongside passwords to intercept MFA. Jalisco is a device code phishing toolkit that provisions fresh OAuth codes in real time via a backend API.

Its use of lure-generation bypasses the 15-minute time-to-live on device codes, neutralizing one of the core security assumptions defenders rely on. The legitimate Microsoft login portal is tricked into authenticating normally and satisfying MFA. In the background, the attacker's tool silently collects access and refresh tokens from Microsoft's token endpoint, granting persistent account access without ever possessing the target's credentials. An expanding ecosystem of purpose-built tools and AI-powered phishing-as-a-service kits is lowering the barrier to phishing campaigns that bypass MFA.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Phishing has surged in as AI-powered phishing-as-a-service kits enable attackers to bypass MFA and harvest OAuth tokens at scale. ReliaQuest identified two phishing tools used in the wild: Jalisco, a device code phishing toolkit that provisions fresh OAuth codes in real time, and OmegaLord, a credential harvester that captures phone numbers alongside passwords to intercept MFA. Jalisco is a device code phishing toolkit that provisions fresh OAuth codes in real time via a backend API.

Its use of lure-generation bypasses the 15-minute time-to-live on device codes, neutralizing one of the core security assumptions defenders rely on. The legitimate Microsoft login portal is tricked into authenticating normally and satisfying MFA. In the background, the attacker's tool silently collects access and refresh tokens from Microsoft's token endpoint, granting persistent account access without ever possessing the target's credentials. An expanding ecosystem of purpose-built tools and AI-powered phishing-as-a-service kits is lowering the barrier to phishing campaigns that bypass MFA.[emaillocker id="1283"]

Device code phishing tricks targets into entering attacker-generated OAuth device codes into the legitimate login portal, where they authenticate normally and satisfy MFA. Once inside a compromised Microsoft 365 account, attackers establish persistence by pairing multiple attacker-controlled devices to the victim's Entra ID tenant, then move quickly to exfiltrate sensitive data from software-as-a-service platforms for extortion.

THREAT PROFILE:

Tactic Technique Id Technique Sub-technique
Initial access T1566.002 Phishing Spearphishing Link
Persistence T1547.001 Boot or Logon Autostart Execution Registry Run Keys / Startup Folder
Defence Evasion T1036.005 Masquerading Match Legitimate Resource Name or Location
Credential access T1555.003 Credentials from Password Stores Credentials from Web Browsers
Lateral Movement T1021.001 Remote Services Remote Desktop Protocol
Command and control T1071.001 Application Layer Protocol Web Protocols
Exfiltration T1041 Exfiltration Over C2 Channel -

REFERENCES:

The following reports contain further technical details:

[/emaillocker]
crossmenu