Skip to Content

The Jalisco Toolkit and AI-Powered Phishing Surge

ReliaQuest Threat Research Team

This is external threat intelligence from the ReliaQuest Threat Research team. The findings describe threats, vulnerabilities, and attacker activity affecting third parties and the broader threat landscape—not ReliaQuest's own environment. Nothing in this report should be interpreted as a vulnerability in ReliaQuest's systems or data.

Editor’s Note: This report was authored by John Dilgen and Jalen Vaughn

Key Points

  • Phishing has surged in 2026 as AI-powered phishing-as-a-service (PhaaS) kits enable attackers to bypass MFA and harvest OAuth tokens at scale—making attacks faster, harder to detect, and accessible to attackers of any skill level.

  • ReliaQuest identified two phishing tools used in the wild: "Jalisco," a device code phishing toolkit that provisions fresh OAuth codes in real time to defeat time-based security controls, and "OmegaLord," a credential harvester that captures phone numbers alongside passwords to intercept MFA. Both signal that attackers are actively engineering new tools to defeat MFA and existing defensive controls.

  • Disable device code authentication in Microsoft Entra ID via a Conditional Access policy that blocks all users and cloud apps, limiting exceptions to formally documented accounts with a confirmed operational need.


ReliaQuest recently identified two phishing toolkits, “Jalisco” and “OmegaLord”named in their own command-and-control (C2) panels—while investigating phishing campaigns targeting Microsoft 365 environments. Their discovery reflects a broader shift: An expanding ecosystem of purpose-built tools and AI-powered phishing-as-a-service (PhaaS) kits is lowering the barrier to sophisticated phishing campaigns that bypass MFA, putting techniques that once required significant skill within reach of threat actors of any level.

Jalisco is a device code phishing toolkit that provisions fresh OAuth codes in real time, defeating the time-based controls defenders rely on and pairing naturally with AI-powered kits like “EvilTokens.” OmegaLord, by contrast, is a JavaScript-based credential harvester that impersonates a PDF reader and collects phone numbers alongside credentials—a deliberate step toward intercepting or hijacking MFA.

Neither tool exists in isolation. Device code phishing tricks users into authenticating on behalf of an attacker, bypassing MFA without exposing credentials, and has surged in 2026—driven by AI-powered PhaaS kits that let any attacker impersonate any brand with minimal skill. Once inside a compromised Microsoft 365 account, attackers establish persistence by pairing multiple attacker-controlled devices to the victim's Entra ID tenant, then move quickly to exfiltrate sensitive data from software-as-a-service (SaaS) platforms for extortion.

Read on to learn:

  • How ReliaQuest's identification of the Jalisco toolkit reveals a new evolution in device code phishing that defeats time-based security controls.

  • How attackers exploit device enrollment to establish persistence that survives password resets, dramatically increasing the remediation burden for defenders.

  • How AI-powered PhaaS kits and legitimate cloud-hosting platforms are converging to give threat actors the tools to launch sophisticated phishing campaigns that evade traditional security controls.

New Tools and Tactics Are Reshaping Device Code Phishing

An expanding library of purpose-built tools is lowering the barrier for any attacker to run advanced phishing campaigns at scale. ReliaQuest's identification of Jalisco and OmegaLord illustrates this directly. Alongside AI-powered PhaaS kits like EvilTokens, these tools represent a maturing ecosystem where sophisticated phishing capabilities—including device code phishing—are increasingly accessible to threat actors of any skill level.

Jalisco Toolkit Provisions Real-Time OAuth Codes to Defeat TTL Controls

Jalisco is a device code phishing toolkit that provisions fresh OAuth codes in real time via a backend API and manages captured sessions through a web portal. Its use of lure-generation—a recent evolution that bypasses the 15-minute time-to-live (TTL) on device codes—neutralizes one of the core security assumptions defenders rely on to limit device code phishing. Its presence in the wild signals that lure-generation is highly likely to become a standard feature across a wider range of phishing kits.

Device code phishing tricks targets into entering attacker-generated OAuth device codes into Microsoft's legitimate login portal, where they authenticate normally and satisfy MFA. In the background, the attacker's tool silently collects the resulting access and refresh tokens from Microsoft's token endpoint, granting persistent account access without ever possessing the target's credentials. Because credentials are never exposed, traditional controls such as password resets and credential monitoring provide no relief, leaving defenders without the indicators they rely on to detect or contain account compromise.

Figure 1: The legitimate Microsoft login window opened by a device code phishing site

Device code phishing kits generally use one of two code-generation methods:

  1. Standard session-poll—the older method, where a device code is baked into the phishing page when it loads.

  2. Lure-generation—a recent evolution, where the code doesn't exist when the page loads; instead, the kit calls a backend API to provision a fresh code for that specific session.

Lure-generation bypasses the TTL security measure that keeps codes active for only 15 minutes before they need to be refreshed, making it significantly more effective at gaining access to a user's account than standard session-poll.

Jalisco uses lure-generation to deliver a code in real time as the user hits the phishing page, acting as a middleman between Microsoft 365 and the webpage. It also lets threat actors log in via a web portal, likely to manage captured sessions and access compromised accounts. The phishing pages display a lure, such as a fake PDF, alongside the attacker's device code and a legitimate Microsoft 365 login page—often in a separate pop-up—to prompt the target to complete the authentication flow.

Together, these capabilities give Jalisco a clear operational advantage: the real-time API removes the fixed-code limitation defenses rely on, while the web portal lets the attacker manage multiple active sessions at once, increasing the scale and efficiency of each campaign.

Lure-generation isn't unique to Jalisco, but its presence indicates the toolkit was likely developed or updated recently, placing it at the leading edge of current device code phishing tools. More broadly, Jalisco's design reflects a clear direction of travel: As these techniques prove effective, they attract further investment from threat actors. Lure-generation is highly likely to become a standard feature across a wider range of phishing kits, driving further development of tools like Jalisco.

Device Enrollment as a Post-Compromise Persistence Mechanism

Device code phishing creates a persistence challenge that traditional eviction doesn't solve: Because attackers harvest OAuth tokens rather than credentials, password resets don't remove their access. By enrolling their own devices to the victim's Microsoft Entra ID tenant, attackers obtain a Primary Refresh Token (PRT) that automatically renews while the device remains active, meaning access persists even after passwords are rotated and live sessions terminated.

ReliaQuest has recently observed threat actors enrolling more than five devices to a single compromised account—up from the typical one or two—often using legitimate-looking names such as "microsoft-*" and "WINDOWS-*" to blend in. This multiplies the eviction workload and extends the window for exfiltration.

Threat actors use compromised accounts to access sensitive data, such as customer or employee personally identifiable information (PII), financial records, and internal communications stored in SharePoint and other SaaS platforms. Exfiltration typically occurs quickly, in as little as six minutes, before defenders have identified the breach. The data is then used as leverage in extortion demands, threatening public release unless a ransom is paid. Because defenders must identify and remove every enrolled attacker device before the account is fully remediated, multi-device enrollment extends this window of exposure and increases the risk of successful exfiltration.

The AI-Powered PhaaS Ecosystem Enabling These Attacks

Jalisco is just one part of a broader evolution in the phishing underground. A growing ecosystem of AI-powered PhaaS kits, including EvilTokens and "Kali365," is enabling threat actors of any skill level to launch device code phishing campaigns at scale. These kits now use AI to mirror the branding of any target organization from a single URL, and host their infrastructure on legitimate developer cloud platforms such as workers[.]dev and edgeone[.]app—a combination that bypasses email gateway controls and evades signature-based detection.

We've observed a wide range of phishing kits across recent incidents, including EvilTokens, "Tycoon2fa," "Venom," and Kali365. These kits rely heavily on workers[.]dev to host phishing pages. workers[.]dev is a legitimate service that lets users deploy subdomains instantly to test and share serverless code—useful for developers and threat actors alike. The phishing pages often use multiple subdomains that combine random characters with familiar words to establish legitimacy, such as the target's name and tools like SharePoint ("sharepoint-upload-ybwd[.]<redactedusername>[.]workers[.]dev"). Because workers[.]dev has legitimate uses, phishing pages hosted there are likely to evade signature-based security tools, raising the odds that attackers will successfully phish users.

PhaaS kits are tools sold on the dark web that let threat actors quickly build phishing infrastructure, impersonate brands, and scale campaigns en masse. AI integration in these kits isn't new, but kits like EvilTokens and "Darcula" reflect a growing sophistication in its application. From a single target URL, the AI mirrors the brand's images, logos, and layout onto the phishing site, producing a page convincing enough to trick users into handing over account access.

The growing availability of these kits on the dark web has raised the baseline threat organizations face, coinciding with a 1,380% increase in phishing activity between late 2025 and early 2026.

OmegaLord: Traditional Phishing Evolves to Beat MFA

While device code phishing is the primary focus of this report, ReliaQuest's identification of OmegaLord illustrates a parallel evolution: Even outside device code phishing, threat actors are actively developing tools designed to bypass or defeat MFA. OmegaLord is a newly discovered JavaScript-based credential harvester that goes beyond standard tools by deliberately collecting phone numbers alongside credentials, likely to intercept or hijack MFA—a signal that even traditional credential-theft phishing is being engineered around modern authentication defenses.

OmegaLord displays a fake PDF reader login page that prompts the user for their email address, password, and phone number. Collecting phone numbers is unusual for credential harvesters and is likely intended to help the attacker intercept or hijack MFA requests during authentication.

Figure 2: The OmegaLord infostealer pop-up

The explicit targeting of phone numbers is another example—alongside device code phishing—of how threat actors are directly engineering around MFA as a control. For security teams, this signals that phone-based MFA methods such as SMS codes no longer provide the defensive strength they once did.

Step Up Your Defenses Against Device Code Phishing

ReliaQuest’s Approach

AI-powered PhaaS kits are driving a surge in alert volume for security teams, letting threat actors generate and launch phishing campaigns at a scale no manual triage workflow can match. The flood of device code phishing lures, brand-impersonation pages, and malicious OAuth flows hitting organizations today is highly likely to be the result of tools designed to automate what once required skill and time. Manual triage can't keep pace with automated phishing generation; automated detection and response are required to match attacker throughput. ReliaQuest GreyMatter provides several capabilities directly relevant to the tactics, techniques, and procedures (TTPs) observed in this activity:

GreyMatter Phishing Analyzer: Automatically triages suspicious emails and URLs to identify device code phishing lures, including those hosted on legitimate developer platforms like workers[.]dev. By analyzing link behavior, domain patterns, and page and email content, it detects phishing attempts that evade signature-based gateway controls—and the brand-impersonation techniques used by AI-powered PhaaS kits like EvilTokens and Kali365—before they reach user inboxes.

GreyMatter Agentic AI: Device code phishing relies on speed and stealth, such as provisioning codes in real time, waiting for targets to authenticate, harvesting the tokens, and enrolling attacker-controlled devices before defenders can triage the first alert. GreyMatter's agentic AI connects these events across identity, email, and network telemetry rather than treating them as isolated signals, correlating anomalous token issuance, new device enrollments, and unusual SharePoint access into a single, prioritized investigation to contain threats at machine speed.

ReliaQuest Detection Rules: ReliaQuest detection content is continuously updated using the latest relevant threat intelligence and maps to specific stages of this activity.

GreyMatter Automated Response Playbooks turn detection into immediate action. Once suspicious OAuth activity is identified, prebuilt playbooks can revoke active sessions, delete registered devices, or disable the affected account—all within minutes and across your existing security stack.

Pairing our detection rules with the following Automated Response Playbooks helps your organization cut mean time to contain (MTTC) threats from hours to five minutes or less:

  • Terminate Active Session: Revokes all active Microsoft 365 sessions and session cookies tied to the compromised account, cutting off the attacker's current access. In device code phishing campaigns, where the attacker never possesses the target's password, session termination is the critical first step in eviction.

  • Delete Device: Removes attacker-enrolled devices from the victim's Microsoft Entra ID tenant, closing the persistent access channel that survives password resets and session terminations.

  • Disable User: Suspends the compromised account entirely. This is important when multiple attacker-controlled devices have been enrolled to the Entra ID tenant, to prevent token renewal and block re-entry through any registered device.

For faster remediation, consider configuring these Playbooks to “RQ Approved” to automate containment across your existing tools.

Your Action Plan

Based on the activity observed, implement these steps to reduce exposure to this type of intrusion.

  • Disable the device code authentication flow at the identity provider: In Microsoft Entra ID, configure a Conditional Access policy that blocks the device code flow under Conditions > Authentication Flows, scoped to All Users and All Cloud Apps. Exclude only a small, formally documented set of users or service accounts with a demonstrated operational requirement, and scope exceptions to specific application registrations rather than broad user groups. In Okta, restrict the OAuth Device Authorization grant at the authorization-server-policy level and require formal approval before enabling it for any application. The device code flow has few legitimate use cases for most users in most environments, so blocking it by default removes the authentication path these campaigns depend on.

  • Audit existing application registrations and remove unnecessary grants: Review all application registrations in Entra ID and Okta and disable the device authorization grant wherever it isn't actively required. Many organizations accumulate application registrations over time without revisiting their granted flows, leaving the device code path open across applications that have no need for it. Treat any registration with the device authorization grant enabled as a potential entry point until its business requirement is confirmed and documented.

  • Reduce the default device registration limit and restrict who can register devices: By default, Entra ID permits users to register up to 50 personal devices; reduce this to one or two to limit the foothold attackers can establish after compromising an account. In Entra ID Device Settings, change "Users may register devices" from "All" to a dedicated, scoped group such as IT-Approved-Device-Registrars.

Key Takeaways and What’s Next

This report clarifies a landscape shift that has been building throughout 2026. That is, attackers are targeting the authentication process itself. Jalisco and EvilTokens represent the leading edge of a wider move toward OAuth exploitation, where the victim completes authentication on behalf of the attacker and the resulting tokens grant persistent access that survives password resets and session revocations. Combined with AI-powered PhaaS kits fueling a surge in phishing activity, the speed, scale, and evasion of these campaigns have outpaced defenses built around credential-theft detection and email gateway filtering.

The infrastructure reinforces this. Legitimate developer platforms like workers[.]dev and edgeone[.]app are being routinely abused for phishing hosting, exploiting the same trusted tools organizations use to get past defenses. And once access is established, attackers deepen their foothold by enrolling multiple attacker-controlled devices to victims' Entra ID tenants, creating a remediation burden manual effort alone can't meet.

Looking ahead, ReliaQuest assesses with high confidence that device code phishing will continue to displace credential harvesting as the primary phishing technique through the remainder of 2026. The operational advantages for threat actors are real: Tokens don't need credentials to rotate, MFA is completed by the target, and access renews automatically while attacker-enrolled devices remain active. Jalisco's lure-generation is already a signal of tooling maturity, and further refinement and wider distribution through PhaaS markets are likely in the next 6–12 months as the technique continues to prove effective.

IOCs

Indicators reflect observed malicious activity. Some may be legitimate services, or third-party sites compromised or abused by threat actors without the owner's knowledge.

Artifact

Details

authplanned[.]online

Jalisco Device Code Kit Domain

grantfundingapplications[.]com

Jalisco Device Code Kit Domain

sessionopen0[.]site

Jalisco Device Code Kit Domain

levaquin2us[.]top

Jalisco Device Code Kit Domain

hxxps://WINGBOARD[.]b-cdn[.]net/PROOF%20OF%20PAYMENT%2022TH[.]html

OmegaLord URL

hxxps://file[.]kiwi/7ab7c290#z_n5Qh8kwioCUs8jQ6WWhw

OmegaLord URL

nuclear-rose-7ci1cmml-dpoaxo1bhyxi[.]edgeone[.]app

Phishing Domain

pebr-gl6z-0vzu-434xz[.]b-cdn[.]net

Phishing Domain

secure-folder-9f8a2983fbf5479e8d8c267e0df4e73d[.]3vvcompany[.]com

Phishing Domain

116ec3a1ad128d7d[.]darkwebf[.]workers[.]dev

Phishing Domain

Learn How GreyMatter Can Improve Your DIR Process

GreyMatter enables you to get visibility across your entire attack surface, reduce complexity of your security operations, and efficiently manage risk across the business.