New phishing kits target Microsoft 365 accounts, evade MFA
Attributes the threat exclusively to malicious third parties (‘underground forums’, ‘attackers’) while positioning Microsoft and MFA vendors as passive targets—not as entities responsible for architectural choices enabling such bypasses.
View original on bleepingcomputer.comOverview
Two new phishing kits—Jalisco and OmegaLord—are actively exploiting Microsoft 365 accounts by bypassing multi-factor authentication, representing an escalation in credential-stealing tradecraft.
TL;DR
- Jalisco and OmegaLord are newly identified phishing kits targeting Microsoft 365
- Both kits employ MFA bypass techniques, including real-time token relay and session hijacking
- The kits are distributed via underground forums and show modular, evasive design
Key Stats
2
phishing kits identified
Jalisco and OmegaLord
Questions Answered
Keywords
Narrative Frame
bad-actor framing
Spin Score
40%
Emphasizes attacker ingenuity and infrastructure; minimizes vendor accountability for design trade-offs (e.g., reliance on session tokens, legacy auth protocols, or incomplete MFA enforcement across service endpoints).
What the story wants you to believe
This is an attacker-led escalation—not a signal of preventable design flaws in widely deployed identity systems.
What it makes harder to question
Whether Microsoft’s M365 authentication architecture inherently enables such bypasses due to long-lived session tokens, permissive consent models, or inconsistent MFA enforcement across services.
How the spin works
The story redirects attention toward process, intent, scale, mission, or future benefits instead of unresolved concerns. Watch for loaded terms such as evade, defeat, bypass. The distribution reads as editorial reporting. A pressure point: No discussion of whether Microsoft’s Conditional Access policies or Entra ID configurations could mitigate these kits.
Who Benefits If This Frame Spreads
Microsoft security teams
Deflects pressure to disclose or patch underlying protocol-level weaknesses in M365 auth flows
Framing bypasses as 'attacker innovation' rather than 'design limitation' preserves vendor credibility and avoids triggering regulatory or contractual liability
The Frame
Cybersecurity-as-arms-race: defenders react to evolving adversary tradecraft.
Missing Context
- No discussion of whether Microsoft’s Conditional Access policies or Entra ID configurations could mitigate these kits
- No mention of upstream dependencies (e.g., OAuth consent flaws, legacy API permissions) enabling the relay logic
SpinGraph
How this belief gets built
Claim → Frame → Beneficiary → Gap → AI Risk
The article frames MFA bypass as something attackers 'do' to systems, rather than something systems 'allow' — shifting focus from engineering choices to criminal ingenuity.
- Claim
Jalisco and OmegaLord use techniques
Jalisco and OmegaLord use techniques that defeat multi-factor authentication.
- Frame
Blame shifts elsewhere
Cybersecurity-as-arms-race: defenders react to evolving adversary tradecraft.
- Beneficiary
Deflects pressure to disclose or patch underlying protocol-level weaknesses
Microsoft security teams — Deflects pressure to disclose or patch underlying protocol-level weaknesses in M365 auth flows
- Gap
No discussion of whether Microsoft’s Conditional Access policies or Entra
No discussion of whether Microsoft’s Conditional Access policies or Entra ID configurations could mitigate these kits
- AI Risk
AI may repeat the headline as fact
New phishing kits Jalisco and OmegaLord bypass Microsoft 365 MFA using real-time token relay.
Claim Ledger
| Claim | Evidence | Verification | Risk | Evidence Gaps |
|---|---|---|---|---|
| Jalisco and OmegaLord use techniques that defeat multi-factor authentication. | Technical description of token relay and session hijacking mechanics; screenshots of kit UI and network traffic logs | Source-Supported | High | Independent lab replication report; Microsoft acknowledgment or advisory; Quantitative success rate data from live deployments |
Jalisco and OmegaLord use techniques that defeat multi-factor authentication.
evidence: Technical description of token relay and session hijacking mechanics; screenshots of kit UI and network traffic logs
"Two new phishing kits, Jalisco and OmegaLord, have been discovered in attacks targeting Microsoft 365 accounts, using techniques that defeat multi-factor authentication (MFA)."
Evidence Gaps
- Independent lab replication report
- Microsoft acknowledgment or advisory
- Quantitative success rate data from live deployments
Fact Check Signals
0 of 1 claim matched · confidence: low · checked July 14, 2026
Jalisco and OmegaLord use techniques that defeat multi-factor authentication.
Language Heatmap
Loaded terms that carry the frame beyond the facts.
New phishing kits target Microsoft 365 accounts, evade MFA
Carries emotional weight beyond the underlying fact.
Carries emotional weight beyond the underlying fact.
Carries emotional weight beyond the underlying fact.
Frame Strength
Frame Strength
Spin score decomposed into momentum, evidence, missing context, and AI repetition signals.
Reader Risk
What this story makes easy to believe — and what it makes hard to question.
Source Role & Intent
BleepingComputer · Media
Counter-Frames
Brand Frame
Cybersecurity-as-arms-race: defenders react to evolving adversary tradecraft.
Media / Reader Counter-Frame
Framing as evidence of systemic MFA overreliance and vendor marketing hype — not just 'new malware'.
Regulatory Counter-Frame
Framing as a failure of due diligence in identity assurance architecture, triggering questions about NIST SP 800-63 or CISA Binding Operational Directives.
AI Summary Frame
Oversimplifying into 'MFA is broken', erasing distinctions between phishing-resistant (FIDO2) and phishing-vulnerable (SMS/push) methods.
Missing Voices
Questions Not Answered
- What percentage of observed attacks used these kits vs. older variants?
- Have any confirmed victim organizations or breach outcomes been attributed to Jalisco or OmegaLord?
- What specific MFA methods (e.g., push notifications, TOTP, FIDO2) were bypassed—and under what conditions?
Recall Trigger Score
Which stories are likely to become AI memory — separate from Spin Score.
36
Trigger score 25
Triggered by: Security breach
Not tracked — low-authority source, weak claim, or no durable entity.
AI Recall
From publication to SpinGraph analysis to first observed AI recall and stable retention.
What AI Will Probably Repeat
"New phishing kits Jalisco and OmegaLord bypass Microsoft 365 MFA using real-time token relay."
Concern: AI may omit the conditional nature of the bypass (e.g., requiring user interaction or specific MFA method) and present it as universal MFA failure.
-
Published
Jul 14, 2026
-
Ingested
Jul 14, 2026
-
SpinGraph Created
Jul 14, 2026
-
First Observed AI Recall
Pending
Monitoring scheduled
-
Stable Recall
—
Awaiting retention signal
Recall Check Log
No checks yet — recall tracking is opt-in per story.
─── GEOGrow AI Recall Layer ───
AI Recall Tracking
Monitoring scheduled. No LLM recall detected yet.
This story has not yet appeared in tested AI answers. Once scans begin, this section will show first observed recall, cited sources, narrative alignment, and drift.
node_id=sts_new_phishing_kits_target_microsoft_365_accounts_
Ask AI about this story
Opens with the SpinGraph .md URL and structured context — one click, prompt included.
Narrative Entities
More from BleepingComputer
View all →- Microsoft Entra ID gets passkeys default authentication starting September
- You Don't Have to Run an Exploit to Know If You're Vulnerable
- LastPass, Bitwarden users targeted with fake security alerts
- Progress confirms ShareFile zero-day flaw behind Storage Zone shutdown
- Microsoft July 2026 Patch Tuesday fixes massive 570 flaws, 3 zero-days
- US sanctions VPN, malware providers for enabling ransomware attacks
Markdown (.md) · JSON-LD schema (.json) · Machine-readable for AI & GEO