Jalisco and OmegaLord: A Direct Attack on Your MFA Defenses
Phishing hasn't just improved; it’s gotten smarter, more deliberate, and shockingly efficient. We’re watching a shift where attackers aren't just trying to trick users, they’re actively engineering around the very defenses we count on. The latest targets are Microsoft 365 accounts, and two new kits—Jalisco and OmegaLord—are changing the game by bypassing Multi-Factor Authentication (MFA) in ways that make traditional security benchmarks look like relics.
As organizations grapple with a surge in sophisticated threats, understanding how these kits function isn't just an exercise for incident response teams—it’s crucial for anyone tasked with securing the modern digital workplace. The landscape of artificial intelligence cybersecurity threats is evolving, and these kits are merely the latest tools in a crowded arsenal designed to neutralize our most basic, effective protection.
The Jalisco Toolkit: Abuse by Design
Jalisco isn't aiming for your password directly because it doesn't need to. It’s exploiting the OAuth 2.0 Device Authorization Grant flow, a legitimate mechanism designed to help users sign in on devices without a web browser (think smart TV apps or gaming peripherals).
The attack is deceptively simple. When an attacker initiates a sign-in request, Microsoft generates a device authorization code. Through a well-crafted social engineering scenario, the attacker convinces the victim to enter that code on what appears to be a legitimate Microsoft portal. When the victim enters the code, they're essentially signing off on the attacker’s device—not their own.
What sets Jalisco apart from earlier clones is its agility. It generates fresh OAuth device codes dynamically, essentially invalidating Microsoft’s 15-minute expiration defense head-on. Once the victim is duped, the attacker gets a session token. They’re inside, MFA completely bypassed. Jalisco then hands the keys to the attacker via a management portal, allowing them to juggle multiple sessions and compromised accounts with ease.
OmegaLord: Data Harvesting Over Everything
While Jalisco is about hijacking sessions to bypass MFA entirely, OmegaLord plays a more traditional, if equally devastating, game. It masquerades as a standard PDF reader login page. It’s the kind of site that feels mundane and harmless, the perfect place to drop your credentials.
But OmegaLord isn't just collecting emails and passwords. Its primary focus is on scraping phone numbers, too. This is deliberate. By grabbing the phone number, the attacker isn't just building a contact list; they’re securing another vector to intercept MFA push requests or manipulate mobile-based authentication. They’re building a comprehensive profile of the victim to ensure that even if one door is locked, they have the keys to another. They're not just hacking an account; they're hacking the verification process itself.
The Shift in Targeted Exploitation
Both kits highlight a uncomfortable reality: defensive controls, like basic MFA, are being directly engineered against. We see this in the context of broader artificial intelligence cybersecurity threats, where attackers use automated tools to scale their efforts. Whether it's an automated device-code generator like Jalisco or a focused credential harvester like OmegaLord, the goal is consistent: speed and persistence.
ReliaQuest researchers observed that compromised accounts are often ransacked rapidly. In some cases, exfiltration is underway within six minutes of the initial compromise. This isn't a slow crawl through a network; it's a smash-and-grab. They pivot to SharePoint, drain sensitive internal communications, customer PII, and financial records, and then pivot again to extortion. By the time defenders even realize an account is compromised, the attacker has already packed up.
Practical Defense for the Modern Threat
You can't stop every phishing attempt, but you can definitely make their job harder. The default configurations in our SaaS platforms often prioritize convenience over security. It’s time to flip that ratio.
First, take a hard look at your Entra ID device-registration limits. The default is often absurdly high (up to 50). Tightening this to one or two per user immediately limits how many rogue devices an attacker can register. It’s a low-effort, high-impact configuration change.
Second, consider disabling device code authentication entirely if your environment doesn't strictly require it. Use Microsoft Entra Conditional Access to block the flow for suspicious sign-ins or entirely across the board if it’s not part of your standard operation. Similarly, restrict the OAuth Device Authorization grant in related services like Okta.
Do not ignore your application registrations. Audit them regularly, rip out the ones that aren't being used, and keep a strict watch on permissions. If a service is requesting broad scopes, it’s a red flag—deal with it immediately.
Staying Ahead of the Curve
Thinking we’re safe just because we have MFA enabled is a dangerous illusion. These kits prove that attackers are evolving just as quickly as our countermeasures. Jalisco and OmegaLord aren't just new phishing threats; they are clear indicators of a shift towards modular, fast-moving, and specifically engineered attacks against the foundational elements of our identity security.
Adaptability is the only strategy that matters. Test your controls, scan for unauthorized devices, and educate your team about these specific vectors. The goal isn't to reach a state of static security; it's to remain just slightly ahead of the attackers—before they find the next way in.