Phishing has surged in as AI-powered phishing-as-a-service kits enable attackers to bypass MFA and harvest OAuth tokens at scale. ReliaQuest identified two phishing tools used in the wild: Jalisco, a device code phishing toolkit that provisions fresh OAuth codes in real time, and OmegaLord, a credential harvester that captures phone numbers alongside passwords to intercept MFA. Jalisco is a device code phishing toolkit that provisions fresh OAuth codes in real time via a backend API.
Its use of lure-generation bypasses the 15-minute time-to-live on device codes, neutralizing one of the core security assumptions defenders rely on. The legitimate Microsoft login portal is tricked into authenticating normally and satisfying MFA. In the background, the attacker's tool silently collects access and refresh tokens from Microsoft's token endpoint, granting persistent account access without ever possessing the target's credentials. An expanding ecosystem of purpose-built tools and AI-powered phishing-as-a-service kits is lowering the barrier to phishing campaigns that bypass MFA.[/subscribe_to_unlock_form]
Phishing has surged in as AI-powered phishing-as-a-service kits enable attackers to bypass MFA and harvest OAuth tokens at scale. ReliaQuest identified two phishing tools used in the wild: Jalisco, a device code phishing toolkit that provisions fresh OAuth codes in real time, and OmegaLord, a credential harvester that captures phone numbers alongside passwords to intercept MFA. Jalisco is a device code phishing toolkit that provisions fresh OAuth codes in real time via a backend API.
Its use of lure-generation bypasses the 15-minute time-to-live on device codes, neutralizing one of the core security assumptions defenders rely on. The legitimate Microsoft login portal is tricked into authenticating normally and satisfying MFA. In the background, the attacker's tool silently collects access and refresh tokens from Microsoft's token endpoint, granting persistent account access without ever possessing the target's credentials. An expanding ecosystem of purpose-built tools and AI-powered phishing-as-a-service kits is lowering the barrier to phishing campaigns that bypass MFA.[emaillocker id="1283"]
Device code phishing tricks targets into entering attacker-generated OAuth device codes into the legitimate login portal, where they authenticate normally and satisfy MFA. Once inside a compromised Microsoft 365 account, attackers establish persistence by pairing multiple attacker-controlled devices to the victim's Entra ID tenant, then move quickly to exfiltrate sensitive data from software-as-a-service platforms for extortion.
| Tactic | Technique Id | Technique | Sub-technique |
|---|---|---|---|
| Initial access | T1566.002 | Phishing | Spearphishing Link |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defence Evasion | T1036.005 | Masquerading | Match Legitimate Resource Name or Location |
| Credential access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Lateral Movement | T1021.001 | Remote Services | Remote Desktop Protocol |
| Command and control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
The following reports contain further technical details:
[/emaillocker]