Jalisco and OmegaLord Microsoft 365 phishing kits
Malware Activity
Summary
Hide ▲
Show ▼
The Jalisco and OmegaLord phishing kits were discovered targeting Microsoft 365 accounts with methods that bypass MFA, increasing the risk of credential theft and account takeover. Jalisco uses device-code phishing, while OmegaLord impersonates a PDF Reader login page to collect login credentials and phone numbers. The activity also supports rapid session abuse after compromise, making the kits more effective against modern account defenses.
Related Happenings
Microsoft 365 device-code phishing campaign using Jalisco and OmegaLord
Campaign
H score37
First: 14.07.2026 15:49
Last: 14.07.2026 15:49
Sources 1
How related:
Two new phishing kits, Jalisco and OmegaLord, have been discovered in attacks targeting Microsoft 365 accounts, using techniques that defeat multi-factor authentication (MFA).
About this happening:
The **Jalisco** and **OmegaLord** campaign is targeting **Microsoft 365** accounts with **MFA-bypass phishing**, putting credentials, sessions, and downstream data at risk. Jalisc...
Microsoft 365 device-code phishing campaign using Jalisco and OmegaLord
CampaignHow related: Two new phishing kits, Jalisco and OmegaLord, have been discovered in attacks targeting Microsoft 365 accounts, using techniques that defeat multi-factor authentication (MFA).
About this happening: The **Jalisco** and **OmegaLord** campaign is targeting **Microsoft 365** accounts with **MFA-bypass phishing**, putting credentials, sessions, and downstream data at risk. Jalisc...
Forg365 PhaaS industrializes Microsoft 365 credential theft and session hijacking
Threat Actor Meta
H score36
First: 13.07.2026 16:03
Last: 13.07.2026 16:03
Sources 1
About this happening:
**Forg365** has emerged as a **subscription-based phishing platform** that lowers the barrier to **Microsoft 365** account theft while scaling **session hijacking** and mailbox ab...
Forg365 PhaaS industrializes Microsoft 365 credential theft and session hijacking
Threat Actor MetaAbout this happening: **Forg365** has emerged as a **subscription-based phishing platform** that lowers the barrier to **Microsoft 365** account theft while scaling **session hijacking** and mailbox ab...
Microsoft Entra OAuth Client ID spoofing campaign
Campaign
H score58
First: 13.07.2026 16:00
Last: 13.07.2026 16:00
Sources 1
About this happening:
A **Microsoft Entra ID** targeting campaign is using **OAuth Client ID spoofing** to evade **Entra sign-in logs** and gain stealthy access to cloud services, increasing the chance...
Microsoft Entra OAuth Client ID spoofing campaign
CampaignAbout this happening: A **Microsoft Entra ID** targeting campaign is using **OAuth Client ID spoofing** to evade **Entra sign-in logs** and gain stealthy access to cloud services, increasing the chance...
Forg365-ForgCookie alliance reshapes ransomware ecosystem operations
Threat Actor Meta
H score37
First: 09.07.2026 17:39
Last: 09.07.2026 17:39
Sources 1
About this happening:
**Forg365** is a **phishing-as-a-service (PhaaS)** operation built to steal **Microsoft 365** accounts with **AiTM** and **device-code phishing**, increasing credential-theft risk...
Forg365-ForgCookie alliance reshapes ransomware ecosystem operations
Threat Actor MetaAbout this happening: **Forg365** is a **phishing-as-a-service (PhaaS)** operation built to steal **Microsoft 365** accounts with **AiTM** and **device-code phishing**, increasing credential-theft risk...
Kali365 Microsoft 365 device-code phishing campaign
Campaign
H score46
First: 25.05.2026 15:45
Last: 25.05.2026 15:45
Sources 1
About this happening:
A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Kali365 Microsoft 365 device-code phishing campaign
CampaignAbout this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Timeline
-
14.07.2026 15:49 2 articles · 1h ago
Jalisco and OmegaLord target Microsoft 365 accounts with MFA-bypassing phishing
Initial DisclosureReliaQuest identified two phishing kits, Jalisco and OmegaLord, targeting Microsoft 365 accounts and bypassing MFA. Jalisco uses device-code phishing with freshly generated Microsoft OAuth device codes and a web portal for captured sessions, while OmegaLord uses a fake PDF Reader login page to steal credentials and associated phone numbers that can help attackers intercept or hijack MFA requests or codes.
Show sources
- New phishing kits target Microsoft 365 accounts, evade MFA — www.bleepingcomputer.com — 14.07.2026 15:49
- New phishing kits target Microsoft 365 accounts, evade MFA — www.bleepingcomputer.com — 14.07.2026 15:49