Threat Spotlight: The Jalisco Toolkit and AI-Powered Phishing Surge
In 2026, phishing attacks have increased due to AI-powered phishing-as-a-service toolkits that bypass multi-factor authentication (MFA) and harvest OAuth tokens. Notable tools include Jalisco, which provisions fresh OAuth codes in real time to evade time-based controls, and OmegaLord, which captures phone numbers and passwords to intercept MFA. These tools are part of a larger ecosystem leveraging legitimate cloud platforms to avoid detection. Attackers use these methods to establish persistent access to victim Entra ID tenants, surviving password resets and extending opportunities for data theft and extortion.
AI Analysis
Technical Summary
This threat involves AI-enhanced phishing toolkits such as Jalisco and OmegaLord that enable attackers to bypass MFA and harvest OAuth tokens at scale. Jalisco provisions fresh OAuth device codes in real time, defeating time-based security controls, while OmegaLord harvests credentials including phone numbers to intercept MFA challenges. These toolkits are components of a broader phishing-as-a-service ecosystem that leverages legitimate cloud platforms to evade detection. Post-compromise, attackers maintain persistence by enrolling multiple devices in victim Entra ID tenants, allowing access that survives password resets and facilitates prolonged data exfiltration and extortion campaigns.
Potential Impact
The threat enables attackers to bypass multi-factor authentication and harvest OAuth tokens, compromising account security in Microsoft 365 and related cloud environments. Persistence mechanisms allow attackers to maintain access even after password resets, increasing the risk of extended data exfiltration and potential extortion. The use of legitimate cloud platforms for phishing operations complicates detection and response efforts.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations should monitor for indicators of compromise such as suspicious OAuth token activity and device enrollments in Entra ID tenants. Implementing conditional access policies and continuous monitoring of authentication events may help detect and mitigate these attacks. Since this is a phishing-as-a-service threat leveraging cloud platforms, user education on phishing risks and verification of authentication requests remain important. No official fix or patch is currently indicated.
Indicators of Compromise
- domain: authplanned.online
- domain: levaquin2us.top
- domain: sessionopen0.site
- hash: 9f8a2983fbf5479e8d8c267e0df4e73d
- url: https://file.kiwi/7ab7c290#z_n5Qh8kwioCUs8jQ6WWhw
- domain: grantfundingapplications.com
- domain: secure-folder-9f8a2983fbf5479e8d8c267e0df4e73d.3vvcompany.com
Threat Spotlight: The Jalisco Toolkit and AI-Powered Phishing Surge
Description
In 2026, phishing attacks have increased due to AI-powered phishing-as-a-service toolkits that bypass multi-factor authentication (MFA) and harvest OAuth tokens. Notable tools include Jalisco, which provisions fresh OAuth codes in real time to evade time-based controls, and OmegaLord, which captures phone numbers and passwords to intercept MFA. These tools are part of a larger ecosystem leveraging legitimate cloud platforms to avoid detection. Attackers use these methods to establish persistent access to victim Entra ID tenants, surviving password resets and extending opportunities for data theft and extortion.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves AI-enhanced phishing toolkits such as Jalisco and OmegaLord that enable attackers to bypass MFA and harvest OAuth tokens at scale. Jalisco provisions fresh OAuth device codes in real time, defeating time-based security controls, while OmegaLord harvests credentials including phone numbers to intercept MFA challenges. These toolkits are components of a broader phishing-as-a-service ecosystem that leverages legitimate cloud platforms to evade detection. Post-compromise, attackers maintain persistence by enrolling multiple devices in victim Entra ID tenants, allowing access that survives password resets and facilitates prolonged data exfiltration and extortion campaigns.
Potential Impact
The threat enables attackers to bypass multi-factor authentication and harvest OAuth tokens, compromising account security in Microsoft 365 and related cloud environments. Persistence mechanisms allow attackers to maintain access even after password resets, increasing the risk of extended data exfiltration and potential extortion. The use of legitimate cloud platforms for phishing operations complicates detection and response efforts.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations should monitor for indicators of compromise such as suspicious OAuth token activity and device enrollments in Entra ID tenants. Implementing conditional access policies and continuous monitoring of authentication events may help detect and mitigate these attacks. Since this is a phishing-as-a-service threat leveraging cloud platforms, user education on phishing risks and verification of authentication requests remain important. No official fix or patch is currently indicated.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://reliaquest.com/blog/threat-spotlight-jalisco-toolkit-and-ai-powered-phishing-surge"]
- Adversary
- null
- Pulse Id
- 6a56e4f5789e1bf3de8e82be
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainauthplanned.online | — | |
domainlevaquin2us.top | — | |
domainsessionopen0.site | — | |
domaingrantfundingapplications.com | — | |
domainsecure-folder-9f8a2983fbf5479e8d8c267e0df4e73d.3vvcompany.com | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash9f8a2983fbf5479e8d8c267e0df4e73d | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://file.kiwi/7ab7c290#z_n5Qh8kwioCUs8jQ6WWhw | — |
Threat ID: 6a5796db68715ace43de0cde
Added to database: 07/15/2026, 14:19:07 UTC
Last enriched: 07/15/2026, 14:35:53 UTC
Last updated: 07/15/2026, 16:00:47 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.