Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Threat Spotlight: The Jalisco Toolkit and AI-Powered Phishing Surge

0
Medium
Published: 07/15/2026 (07/15/2026, 01:40:05 UTC)
Source: AlienVault OTX General

Description

In 2026, phishing attacks have increased due to AI-powered phishing-as-a-service toolkits that bypass multi-factor authentication (MFA) and harvest OAuth tokens. Notable tools include Jalisco, which provisions fresh OAuth codes in real time to evade time-based controls, and OmegaLord, which captures phone numbers and passwords to intercept MFA. These tools are part of a larger ecosystem leveraging legitimate cloud platforms to avoid detection. Attackers use these methods to establish persistent access to victim Entra ID tenants, surviving password resets and extending opportunities for data theft and extortion.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/15/2026, 14:35:53 UTC

Technical Analysis

This threat involves AI-enhanced phishing toolkits such as Jalisco and OmegaLord that enable attackers to bypass MFA and harvest OAuth tokens at scale. Jalisco provisions fresh OAuth device codes in real time, defeating time-based security controls, while OmegaLord harvests credentials including phone numbers to intercept MFA challenges. These toolkits are components of a broader phishing-as-a-service ecosystem that leverages legitimate cloud platforms to evade detection. Post-compromise, attackers maintain persistence by enrolling multiple devices in victim Entra ID tenants, allowing access that survives password resets and facilitates prolonged data exfiltration and extortion campaigns.

Potential Impact

The threat enables attackers to bypass multi-factor authentication and harvest OAuth tokens, compromising account security in Microsoft 365 and related cloud environments. Persistence mechanisms allow attackers to maintain access even after password resets, increasing the risk of extended data exfiltration and potential extortion. The use of legitimate cloud platforms for phishing operations complicates detection and response efforts.

Mitigation Recommendations

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations should monitor for indicators of compromise such as suspicious OAuth token activity and device enrollments in Entra ID tenants. Implementing conditional access policies and continuous monitoring of authentication events may help detect and mitigate these attacks. Since this is a phishing-as-a-service threat leveraging cloud platforms, user education on phishing risks and verification of authentication requests remain important. No official fix or patch is currently indicated.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://reliaquest.com/blog/threat-spotlight-jalisco-toolkit-and-ai-powered-phishing-surge"]
Adversary
null
Pulse Id
6a56e4f5789e1bf3de8e82be
Threat Score
null

Indicators of Compromise

Domain

ValueDescriptionCopy
domainauthplanned.online
domainlevaquin2us.top
domainsessionopen0.site
domaingrantfundingapplications.com
domainsecure-folder-9f8a2983fbf5479e8d8c267e0df4e73d.3vvcompany.com

Hash

ValueDescriptionCopy
hash9f8a2983fbf5479e8d8c267e0df4e73d

Url

ValueDescriptionCopy
urlhttps://file.kiwi/7ab7c290#z_n5Qh8kwioCUs8jQ6WWhw

Threat ID: 6a5796db68715ace43de0cde

Added to database: 07/15/2026, 14:19:07 UTC

Last enriched: 07/15/2026, 14:35:53 UTC

Last updated: 07/15/2026, 16:00:47 UTC

Views: 5

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses