Find notable cyber news and cases, enriched with sources, timelines, and signals.

Microsoft 365 device-code phishing campaign using Jalisco and OmegaLord

Campaign
First reported
Last updated
Happening score
H score 37
1 unique sources, 1 articles

Summary

Hide ▲

The Jalisco and OmegaLord campaign is targeting Microsoft 365 accounts with MFA-bypass phishing, putting credentials, sessions, and downstream data at risk. Jalisco uses device-code phishing while OmegaLord uses a fake PDF Reader login page to steal login details and phone numbers. Once an account is taken over, attackers can quickly reach SharePoint and other SaaS data, then press for extortion.

Related Happenings

Jalisco and OmegaLord Microsoft 365 phishing kits

Malware Activity
H score27 First: 14.07.2026 15:49 Last: 14.07.2026 15:49 Sources 1

How related: Two new phishing kits, Jalisco and OmegaLord, have been discovered in attacks targeting Microsoft 365 accounts, using techniques that defeat multi-factor authentication (MFA).

About this happening: The **Jalisco** and **OmegaLord** phishing kits were discovered targeting **Microsoft 365** accounts with methods that **bypass MFA**, increasing the risk of credential theft and...

Forg365 PhaaS industrializes Microsoft 365 credential theft and session hijacking

Threat Actor Meta
H score36 First: 13.07.2026 16:03 Last: 13.07.2026 16:03 Sources 1

About this happening: **Forg365** has emerged as a **subscription-based phishing platform** that lowers the barrier to **Microsoft 365** account theft while scaling **session hijacking** and mailbox ab...

Forg365-ForgCookie alliance reshapes ransomware ecosystem operations

Threat Actor Meta
H score37 First: 09.07.2026 17:39 Last: 09.07.2026 17:39 Sources 1

About this happening: **Forg365** is a **phishing-as-a-service (PhaaS)** operation built to steal **Microsoft 365** accounts with **AiTM** and **device-code phishing**, increasing credential-theft risk...

Kali365 Microsoft 365 device-code phishing campaign

Campaign
H score46 First: 25.05.2026 15:45 Last: 25.05.2026 15:45 Sources 1

About this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...

CypherLoc phishing-led browser scareware campaign

Campaign
H score49 First: 20.05.2026 13:00 Last: 20.05.2026 13:00 Sources 1

About this happening: The **CypherLoc** operation has driven **around 2.8 million attacks** since the start of **2026**, using **phishing emails** to send users to malicious pages that lock browsers an...

Timeline

  1. 14.07.2026 15:49 2 articles · 1h ago

    ReliaQuest identifies Jalisco and OmegaLord phishing kits targeting Microsoft 365 accounts

    Initial Disclosure

    ReliaQuest identified two phishing kits, Jalisco and OmegaLord, in attacks targeting Microsoft 365 accounts. Jalisco uses device-code phishing with fresh Microsoft OAuth device codes and a web portal for managing captured sessions and compromised accounts, while OmegaLord uses a fake PDF Reader login page to steal email addresses, passwords, and phone numbers that can help attackers bypass MFA protections. The research also notes that attackers may register multiple rogue devices on a single compromised account and recommends reducing Entra ID device-registration limits, blocking device code authentication through Microsoft Entra Conditional Access, restricting the OAuth Device Authorization grant in Okta, and auditing unnecessary app registrations.

    Show sources