Jalisco and OmegaLord PhaaS Kits Beat M365 MFA Using OAuth Tricks

ReliaQuest disclosed Jalisco, which regenerates OAuth tokens in real time to beat Microsoft's 15-minute window, and OmegaLord, which harvests MFA phone numbers.
Table of Contents
    Add a header to begin generating the table of contents

    ReliaQuest security researchers disclosed two new phishing-as-a-service toolkits targeting Microsoft 365 accounts — Jalisco and OmegaLord — each designed to defeat multi-factor authentication through distinct technical approaches. Jalisco generates fresh OAuth device-code tokens in real time to eliminate a constraint defenders had relied on, while OmegaLord combines credential theft with phone number harvesting to provide operators everything needed to bypass SMS-based MFA in a single attack session. Active victims were confirmed in ReliaQuest’s investigation.

    Jalisco’s Real-Time OAuth Code Regeneration Eliminates the 15-Minute Attack Window

    Jalisco operates through Microsoft’s OAuth 2.0 Device Authorization Grant flow — the same device-code phishing technique used by other M365 targeting tools — but with a capability that distinguishes it from previously documented kits. Standard device-code phishing generates an OAuth authorization code at the start of the attack session and presents it to the victim. Microsoft’s OAuth implementation gives those codes a 15-minute validity window, after which they expire. Prior device-code kits relied on codes generated at the session’s beginning, giving operators a fixed 15-minute window to complete the social engineering required to get the victim to authenticate.

    Jalisco generates fresh device-code OAuth tokens continuously throughout the attack session as existing codes approach expiration, replacing them before the 15-minute window closes. The practical effect is that Jalisco’s attack window does not expire: operators can sustain social engineering conversations across longer time periods without the attack becoming technically invalid. A victim who is slow to follow instructions, or an operator who needs multiple phone calls or messages to build sufficient trust for the victim to authenticate, no longer faces a hard time limit that could abort the attack.

    How Jalisco Enables Longer Social Engineering Than Tycoon 2FA or EvilProxy Allow

    Microsoft’s 15-minute device-code validity window had served as a weak but genuine constraint on device-code phishing operations. By requiring that the victim authenticate within 15 minutes of code generation, it set a ceiling on how much social engineering time operators could invest per attack attempt. Jalisco’s real-time regeneration removes this ceiling, transforming device-code phishing from a time-pressured technique into one that can accommodate the unhurried social engineering approaches typical of business email compromise and executive impersonation campaigns. ReliaQuest noted that Jalisco is distinct from other documented M365 PhaaS platforms including Helix, Forg365, DEBULL, Pink, Tycoon 2FA, EvilProxy, and EvilTokens.

    OmegaLord’s Unified Collection of M365 Credentials and MFA Phone Numbers

    OmegaLord employs a different technical approach. The kit presents itself to victims as a PDF reader or document viewer — a social engineering lure that prompts victims to enter credentials to access a purported document. Unlike credential-only phishing kits, OmegaLord explicitly collects the victim’s phone number during the same session alongside their username and password.

    The phone number collection is not incidental. Organizations enrolled in Microsoft 365 use registered phone numbers as MFA factors for SMS-based verification codes. OmegaLord’s simultaneous harvest of the credential set and the phone number registered as the MFA factor gives operators everything they need to bypass the MFA protection the phone number was added to provide. With the credential set and the target phone number both in hand, operators can attempt SIM-swap requests to take over the phone number or intercept SMS codes in real time — either approach bypasses the MFA challenge without requiring any real-time session interception capability during the authentication attempt.

    Active Victims and the Expanding M365 PhaaS Market

    ReliaQuest confirmed active victims in its investigation of both platforms. Both Jalisco and OmegaLord represent escalations in the technical capabilities of M365-targeting PhaaS toolkits. Jalisco addresses the 15-minute OAuth code limitation that had constrained device-code phishing operations. OmegaLord integrates MFA bypass enablement directly into the credential theft workflow, producing a more complete attack package in a single session rather than requiring separate steps for credential capture and MFA factor targeting.

    These two platforms join a documented market of M365-targeting PhaaS kits that ReliaQuest tracks, including Helix, Forg365, DEBULL, and Pink disclosed earlier in July 2026, and established platforms including Tycoon 2FA and EvilProxy. The continued disclosure of new entrants in this market reflects sustained demand for M365 credential theft tooling as enterprise deployments of Microsoft 365 remain a high-value target for account takeover operations. Defenders relying on device-code phishing’s time constraint as a partial control — or on SMS-based MFA as a sufficient second factor — should account for both constraints now having documented technical bypasses in active PhaaS toolkits.

    Related Posts