Skip to content
Tech News
← Back to articles

New phishing kits target Microsoft 365 accounts, evade MFA

read original more articles

Two new phishing kits, Jalisco and OmegaLord, have been discovered in attacks targeting Microsoft 365 accounts, using techniques that defeat multi-factor authentication (MFA).

While Jalisco uses the device-code phishing method, OmegaLord masquerades as a PDF reader to collect account login credentials and associated phone numbers, which could help the attacker intercept or hijack MFA requests or codes.

Both phishing toolkits were analyzed by researchers at cybersecurity firm ReliaQuest, who note that while device-code phishing has become increasingly common, traditional phishing techniques continue to evolve to bypass modern defenses.

The device code phishing technique abuses the OAuth 2.0 Device Authorization Grant flow by tricking victims into authorizing an attacker-controlled device to access their Microsoft account.

The attack typically begins when the threat actor initiates a sign-in request to a Microsoft service, such as Microsoft 365, prompting the platform to generate a device authorization code.

Using social engineering, the attacker convinces the victim to sign in to the legitimate Microsoft login page and enter the authorization code, thereby approving the attacker-controlled device. Once the device is authorized, the attacker can access the victim's account without ever needing their username or password.

The Jalisco toolkit generates fresh Microsoft OAuth device codes automatically when a victim opens the phishing page.

Malicious authentication prompt

Source: ReliaQuest

By provisioning the codes in real-time, the phishing toolkit bypasses Microsoft’s 15-minute validity for device codes specifically to fight device-code phishing attacks.

... continue reading