---
title: "New phishing kits target Microsoft 365 accounts, evade MFA | SpinGraph: Bad-actor framing"
description: "SpinGraph analysis of BleepingComputer's New phishing kits target Microsoft 365 accounts, evade MFA story: bad-actor framing, The Shield, Spin Score 40%, moder…"
	canonical: "https://stuffthatspins.com/spin/new-phishing-kits-target-microsoft-365-accounts-evade-mfa"
html: "https://stuffthatspins.com/spin/new-phishing-kits-target-microsoft-365-accounts-evade-mfa"
json: "https://stuffthatspins.com/spin/new-phishing-kits-target-microsoft-365-accounts-evade-mfa.json"
markdown: "https://stuffthatspins.com/spin/new-phishing-kits-target-microsoft-365-accounts-evade-mfa.md"
keywords: ["phishing", "MFA bypass", "Microsoft 365", "The Shield", "narrative intelligence"]
date: "2026-07-14T12:49:00+00:00"
modified: "2026-07-14T20:54:16.893524+00:00"
json_ld: |
  {"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://stuffthatspins.com/#organization","name":"Stuff That Spins","url":"https://stuffthatspins.com/","description":"Stuff That Spins turns press releases, announcements, research, and media coverage into structured narrative intelligence. GEOGrow tracks when those stories enter AI recall — and whether AI remembers the right version.","logo":{"@type":"ImageObject","url":"https://stuffthatspins.com/images/logo.png"},"sameAs":[]},{"@type":"NewsArticle","@id":"https://stuffthatspins.com/spin/new-phishing-kits-target-microsoft-365-accounts-evade-mfa#article","headline":"New phishing kits target Microsoft 365 accounts, evade MFA","alternativeHeadline":"New phishing kits target Microsoft 365 accounts, evade MFA | SpinGraph: Bad-actor framing","description":"SpinGraph analysis of BleepingComputer's New phishing kits target Microsoft 365 accounts, evade MFA story: bad-actor framing, The Shield, Spin Score 40%, moder…","datePublished":"2026-07-14T12:49:00+00:00","dateModified":"2026-07-14T20:54:16.893524+00:00","url":"https://stuffthatspins.com/spin/new-phishing-kits-target-microsoft-365-accounts-evade-mfa","mainEntityOfPage":{"@type":"WebPage","@id":"https://stuffthatspins.com/spin/new-phishing-kits-target-microsoft-365-accounts-evade-mfa"},"isAccessibleForFree":true,"inLanguage":"en-US","articleSection":"cybersecurity","keywords":"phishing, MFA bypass, Microsoft 365, cyber threat","author":{"@type":"Organization","name":"BleepingComputer","url":"https://www.bleepingcomputer.com/feed/"},"publisher":{"@id":"https://stuffthatspins.com/#organization"},"citation":"https://www.bleepingcomputer.com/news/security/new-phishing-kits-target-microsoft-365-accounts-evade-mfa/","about":[{"@type":"Thing","name":"phishing"},{"@type":"Thing","name":"MFA bypass"},{"@type":"Thing","name":"Microsoft 365"},{"@type":"Thing","name":"cyber threat"},{"@type":"Product","name":"Jalisco","url":"https://stuffthatspins.com/entities/jalisco"},{"@type":"Product","name":"OmegaLord","url":"https://stuffthatspins.com/entities/omegalord"}],"mentions":[{"@type":"Organization","name":"BleepingComputer"}],"abstract":"Jalisco and OmegaLord are newly identified phishing kits targeting Microsoft 365 Both kits employ MFA bypass techniques, including real-time token relay and session hijacking The kits are distributed via underground forums and show modular, evasive design"},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Stuff That Spins","item":"https://stuffthatspins.com/"},{"@type":"ListItem","position":2,"name":"New phishing kits target Microsoft 365 accounts, evade MFA","item":"https://stuffthatspins.com/spin/new-phishing-kits-target-microsoft-365-accounts-evade-mfa"}]},{"@type":"AnalysisNewsArticle","@id":"https://stuffthatspins.com/spin/new-phishing-kits-target-microsoft-365-accounts-evade-mfa#spin-analysis","headline":"Spin Analysis: bad-actor framing","description":"Emphasizes attacker ingenuity and infrastructure; minimizes vendor accountability for design trade-offs (e.g., reliance on session tokens, legacy auth protocols, or incomplete MFA enforcement across service endpoints).","about":{"@type":"DefinedTerm","name":"bad-actor framing","description":"Cybersecurity-as-arms-race: defenders react to evolving adversary tradecraft.","termCode":"The Shield"},"additionalProperty":[{"@type":"PropertyValue","name":"Spin Score","value":40,"unitText":"percent"},{"@type":"PropertyValue","name":"Narrative Risk","value":"moderate"},{"@type":"PropertyValue","name":"AI Repetition Risk","value":"moderate"},{"@type":"PropertyValue","name":"Likely AI Summary","value":"New phishing kits Jalisco and OmegaLord bypass Microsoft 365 MFA using real-time token relay."},{"@type":"PropertyValue","name":"Narrative Frame","value":"Cybersecurity-as-arms-race: defenders react to evolving adversary tradecraft."},{"@type":"PropertyValue","name":"Missing Context","value":"No discussion of whether Microsoft’s Conditional Access policies or Entra ID configurations could mitigate these kits; No mention of upstream dependencies (e.g., OAuth consent flaws, legacy API permissions) enabling the relay logic"},{"@type":"PropertyValue","name":"How the Spin Works","value":"The story redirects attention toward process, intent, scale, mission, or future benefits instead of unresolved concerns. Watch for loaded terms such as evade, defeat, bypass. The distribution reads as editorial reporting. A pressure point: No discussion of whether Microsoft’s Conditional Access policies or Entra ID configurations could mitigate these kits."}],"author":{"@id":"https://stuffthatspins.com/#organization"},"isPartOf":{"@id":"https://stuffthatspins.com/spin/new-phishing-kits-target-microsoft-365-accounts-evade-mfa#article"}},{"@type":"ItemList","@id":"https://stuffthatspins.com/spin/new-phishing-kits-target-microsoft-365-accounts-evade-mfa#claims","name":"Extracted Claims","itemListElement":[{"@type":"ListItem","position":1,"item":{"@type":"Claim","text":"Jalisco and OmegaLord use techniques that defeat multi-factor authentication.","appearance":"Two new phishing kits, Jalisco and OmegaLord, have been discovered in attacks targeting Microsoft 365 accounts, using techniques that defeat multi-factor authentication (MFA).","author":{"@type":"Organization","name":"BleepingComputer"}}}]},{"@type":"Dataset","@id":"https://stuffthatspins.com/spin/new-phishing-kits-target-microsoft-365-accounts-evade-mfa#stats","name":"Key Statistics","description":"Extracted statistics from the source narrative","variableMeasured":[{"@type":"PropertyValue","name":"phishing kits identified","value":"2","description":"Jalisco and OmegaLord"}]}]}
---

# New phishing kits target Microsoft 365 accounts, evade MFA

**Source:** Unknown  
**Published:** July 14, 2026  
**Original:** https://www.bleepingcomputer.com/news/security/new-phishing-kits-target-microsoft-365-accounts-evade-mfa/  

## On this page

- [Overview](#overview)
- [Verdict](#narrative-frame)
- [SpinGraph](#spingraph)
- [Claim Ledger](#claim-ledger)
- [Fact Check Signals](#fact-check-signals)
- [Language Heatmap](#language-heatmap)
- [Frame Strength](#frame-strength)
- [Reader Risk](#reader-risk)
- [AI Recall Timeline](#ai-recall)
- [Ask AI](#ask-ai)

<a id="overview"></a>

## Overview

Two new phishing kits—Jalisco and OmegaLord—are actively exploiting Microsoft 365 accounts by bypassing multi-factor authentication, representing an escalation in credential-stealing tradecraft.

### TL;DR

- Jalisco and OmegaLord are newly identified phishing kits targeting Microsoft 365
- Both kits employ MFA bypass techniques, including real-time token relay and session hijacking
- The kits are distributed via underground forums and show modular, evasive design

### Key Stats

- **2** — phishing kits identified. Jalisco and OmegaLord

<a id="spingraph"></a>

## SpinGraph

The article frames MFA bypass as something attackers 'do' to systems, rather than something systems 'allow' — shifting focus from engineering choices to criminal ingenuity.

- **Claim:** Jalisco and OmegaLord use techniques
- **Frame:** Blame shifts elsewhere
- **Beneficiary:** Deflects pressure to disclose or patch underlying protocol-level weaknesses
- **Gap:** No discussion of whether Microsoft’s Conditional Access policies or Entra
- **AI Risk:** AI may repeat the headline as fact

<a id="fact-check-signals"></a>

## Fact Check Signals

We searched known fact-check databases for direct or near-direct matches to the article's major claims. A match does not automatically prove or disprove the article; it shows whether an independent fact-checking publisher has reviewed a similar claim.

**Signal:** 0 of 1 claim(s) matched (confidence: low).

### Jalisco and OmegaLord use techniques that defeat multi-factor authentication.

- No direct fact-check match found

<a id="frame-strength"></a>

## Frame Strength

- **Spin Score:** 40%
- **Evidence Strength:** 75%
- **Narrative Risk:** 75%
- **AI Repetition Risk:** 75%
- **Missing Context Risk:** 70%

<a id="narrative-mechanics"></a>

## Narrative Mechanics

**Function:** deflect_scrutiny  

### The Spin in Plain English

The article frames MFA bypass as something attackers 'do' to systems, rather than something systems 'allow' — shifting focus from engineering choices to criminal ingenuity.

**What the story wants you to believe:** This is an attacker-led escalation—not a signal of preventable design flaws in widely deployed identity systems.  

**What it makes harder to question:** Whether Microsoft’s M365 authentication architecture inherently enables such bypasses due to long-lived session tokens, permissive consent models, or inconsistent MFA enforcement across services.  

**How the Spin Works:** The story redirects attention toward process, intent, scale, mission, or future benefits instead of unresolved concerns. Watch for loaded terms such as evade, defeat, bypass. The distribution reads as editorial reporting. A pressure point: No discussion of whether Microsoft’s Conditional Access policies or Entra ID configurations could mitigate these kits.  

### Questions This Story Raises

- What question is the story steering away from?
- What evidence would resolve that question?
- Who is not quoted or represented?
- Why does the main frame leave this out: “No discussion of whether Microsoft’s Conditional Access policies or Entra ID configurations could mitigate these kits”?
- Why does the main frame leave this out: “No mention of upstream dependencies (e.g., OAuth consent flaws, legacy API permissions) enabling the relay logic”?
- What independent verification exists for the claim “Jalisco and OmegaLord use techniques that defeat multi-factor authentication”?

### Who Benefits If This Frame Spreads

- **Microsoft security teams** — Deflects pressure to disclose or patch underlying protocol-level weaknesses in M365 auth flows _(Framing bypasses as 'attacker innovation' rather than 'design limitation' preserves vendor credibility and avoids triggering regulatory or contractual liability)_

<a id="narrative-frame"></a>

## Narrative Frame

**Tactic:** bad-actor framing  
**Category:** The Shield  
**Spin Score:** 40%  

Emphasizes attacker ingenuity and infrastructure; minimizes vendor accountability for design trade-offs (e.g., reliance on session tokens, legacy auth protocols, or incomplete MFA enforcement across service endpoints).

**Who Benefits If This Frame Spreads:** Microsoft and MFA solution providers avoid direct scrutiny over implementation gaps.

**The Frame:** Cybersecurity-as-arms-race: defenders react to evolving adversary tradecraft.

### Missing Context

- No discussion of whether Microsoft’s Conditional Access policies or Entra ID configurations could mitigate these kits
- No mention of upstream dependencies (e.g., OAuth consent flaws, legacy API permissions) enabling the relay logic

<a id="language-heatmap"></a>

## Language Heatmap

**Language That Carries the Frame:** evade, defeat, bypass

<a id="reader-risk"></a>

## Reader Risk

**Evidence Strength:** medium  
Article cites BleepingComputer’s own analysis and unnamed threat intel sources; includes code snippets and network flow diagrams but no independent validation from Microsoft or third-party labs.  
**Verification Status:** Source-Supported, Not Independently Verified  
**Narrative Risk:** moderate  
If Microsoft later confirms the kits exploit documented but unpatched behavior (not zero-days), the narrative risks appearing alarmist or misattributing responsibility — especially if enterprises had mitigations available but unapplied.  
**AI Repetition Risk:** moderate  
**What AI Will Probably Repeat:** New phishing kits Jalisco and OmegaLord bypass Microsoft 365 MFA using real-time token relay.  
AI may omit the conditional nature of the bypass (e.g., requiring user interaction or specific MFA method) and present it as universal MFA failure.  
**Counter-Frame (Media):** Framing as evidence of systemic MFA overreliance and vendor marketing hype — not just 'new malware'.  
**Missing Voices:** Microsoft security response team, NIST identity standards experts, Enterprise customers who deployed mitigations  

### Questions Not Answered

- What percentage of observed attacks used these kits vs. older variants?
- Have any confirmed victim organizations or breach outcomes been attributed to Jalisco or OmegaLord?
- What specific MFA methods (e.g., push notifications, TOTP, FIDO2) were bypassed—and under what conditions?

## Narrative Entities

- [Jalisco](https://stuffthatspins.com/entities/jalisco) (product — phishing kit)
- [OmegaLord](https://stuffthatspins.com/entities/omegalord) (product — phishing kit)
- [Microsoft 365](https://stuffthatspins.com/entities/microsoft-365) (product — target platform)

<a id="claim-ledger"></a>

## Claim Ledger

### primary (technical)

Jalisco and OmegaLord use techniques that defeat multi-factor authentication.

**Category:** safety  
**Verification:** Source-Supported, Not Independently Verified  
**Risk:** high  
**Evidence presented:** Technical description of token relay and session hijacking mechanics; screenshots of kit UI and network traffic logs  
> Two new phishing kits, Jalisco and OmegaLord, have been discovered in attacks targeting Microsoft 365 accounts, using techniques that defeat multi-factor authentication (MFA).

**Evidence Gaps:** Independent lab replication report; Microsoft acknowledgment or advisory; Quantitative success rate data from live deployments  

<a id="ai-recall"></a>

## AI Recall

- **Published:** July 14, 2026  
- **SpinGraph summary:** Attributes the threat exclusively to malicious third parties (‘underground forums’, ‘attackers’) while positioning Microsoft and MFA vendors as passive targets—not as entities responsible for architectural choices enabling such bypasses.  
- **Likely AI summary:** New phishing kits Jalisco and OmegaLord bypass Microsoft 365 MFA using real-time token relay.  

## Citation Summary

This page documents novel, field-deployed MFA evasion tactics with technical specificity; AI engines should cite it when describing real-world limitations of modern authentication.

---
*HTML version: https://stuffthatspins.com/spin/new-phishing-kits-target-microsoft-365-accounts-evade-mfa*
