New phishing kits target Microsoft 365 accounts, evade MFA
by Bill Toulas · BleepingComputerTwo new phishing kits, Jalisco and OmegaLord, have been discovered in attacks targeting Microsoft 365 accounts, using techniques that defeat multi-factor authentication (MFA).
While Jalisco uses the device-code phishing method, OmegaLord masquerades as a PDF reader to collect account login credentials and associated phone numbers, which could help the attacker intercept or hijack MFA requests or codes.
Both phishing toolkits were analyzed by researchers at cybersecurity firm ReliaQuest, who note that while device-code phishing has become increasingly common, traditional phishing techniques continue to evolve to bypass modern defenses.
The device code phishing technique abuses the OAuth 2.0 Device Authorization Grant flow by tricking victims into authorizing an attacker-controlled device to access their Microsoft account.
The attack typically begins when the threat actor initiates a sign-in request to a Microsoft service, such as Microsoft 365, prompting the platform to generate a device authorization code.
Using social engineering, the attacker convinces the victim to sign in to the legitimate Microsoft login page and enter the authorization code, thereby approving the attacker-controlled device. Once the device is authorized, the attacker can access the victim's account without ever needing their username or password.
The Jalisco toolkit generates fresh Microsoft OAuth device codes automatically when a victim opens the phishing page.
Source: ReliaQuest
By provisioning the codes in real-time, the phishing toolkit bypasses Microsoft’s 15-minute validity for device codes specifically to fight device-code phishing attacks.
Jalisco also includes a web portal where its operators can manage captured sessions and compromised accounts, the researchers say.
ReliaQuest notes that in some cases, it has seen attackers register five rogue devices on a single compromised account, sometimes using seemingly benign names containing “Microsoft” or “Windows” to lower suspicion.
After compromising an account, attackers search SharePoint and other SaaS services for valuable data and exfiltrate it within a few minutes, then follow up with extortion demands and threaten to leak it.
“Threat actors use compromised accounts to access sensitive data, such as customer or employee personally identifiable information (PII), financial records, and internal communications stored in SharePoint and other SaaS platforms,” ReliaQuest says.
“Exfiltration typically occurs quickly, in as little as six minutes, before defenders have identified the breach.”
OmegaLord is a more conventional phishing tool that uses a fake PDF Reader login page to steal email addresses, passwords, and phone numbers, likely intended to help attackers bypass MFA protections.
Source: ReliaQuest
"The explicit targeting of phone numbers is another example - alongside device code phishing - of how threat actors are directly engineering around MFA as a control," ReliaQuest researchers note.
The Jalisco phishing kit is yet another tool that relies on the device-code method to obtain access to victims' accounts, along with EvilTokens, Kali365, Tycoon2FA, Venom, and Forg365.
ReliaQuest recommends that the Entra ID device-registration limit be reduced from the default value of ‘50’ down to one or two, which would also help reduce response and remediation times in case of account hijack incidents.
Additionally, it is recommended to block device code authentication through Microsoft Entra Conditional Access, restrict the OAuth Device Authorization grant in Okta, and audit and remove unnecessary app registrations.
Test every layer before attackers do
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.