Phishing Toolkits Harvest Entra Tokens in Real Time
Identity & Access Management
,
Security Operations
Jalisco Device Code Phishing Tool Use Also Tied to EvilTokens and Kali365 Customers

A new generation of phishing toolkits promise fraudsters an easier path to skirting multifactor authentication and roping in more victims through the promise of automation.
See Also: How to Defend Against AI-Powered Identity Fraud
Researchers warn that new platforms such as Jalisco and OmegaLord are part of a surge in phishing campaigns over the past year. Kali365, a platform that first appeared in April, has similarly triggered warnings for features that include artificial intelligence-generated phishing lures, automated campaign templates and token capture capabilities.
Another offering is EvilTokens, which debuted around February and is being widely used for adversary-in-the-middle as well as business email compromise attacks.,
The platforms are not necessarily competitors – users may be using the platforms in complementary ways. “We have evidence suggesting that Jalisco is highly likely communicating with phishing sites created by both EvilTokens and Kali365,” cybersecurity firm ReliaQuest told ISMG.
Jalisco is designed to simplify the process of stealing device authentication codes through a legitimate Microsoft Entra feature designed to enable users to register devices that have restricted interfaces, such as printers and smart TVs. Users receive a short code they can use to authenticate the device, in their browser, after which it enjoys persistent network access, ReliaQuest found in a Tuesday report.
OmegaLord is a credential stealer unusually designed to harvest usernames and passwords and also phone numbers, likely to help intercept multifactor authentication one-time codes, the report says.
Researchers at ReliaQuest told ISMG that when probing recent Microsoft 365 phishing campaigns, they gained access to the control panels for both offerings and found the services had amassed a number of victims, “largely users based in the United States across a wide range of sectors and job roles.”
An uptick in phishing attacks triggered a May alert from the FBI warning over the Kali365 platform, which targets the Microsoft device code authentication flow as well as OAuth 2.0 authentication flows to gain persistent access to a victim’s environment. Short for “open authentication,” OAuth is designed to allow an app or service to sign into another without having to divulge private information, such as passwords.
Kali365 is also available under the names Octopi365 and Freedom365, “likely stemming from rebranding, kit theft or other operator activities,” says a June report from cybersecurity firm Huntress.
“Device code phishing is having a bit of a moment right now,” the firm said.
Typically once a target hits the phishing page, an attack script executes and uses the legitimate authentication flow process to request a device code, which it copies to the user’s clipboard. The script sends the target to a legitimate Microsoft authentication page, routing their traffic through an attacker-controlled server and keeps watch. When the target authenticates, the script alerts the attacker, who now possesses a working OAuth token.
Requesting a device code only once a target lands on the phishing page is a key feature of the attack, since the code expires after 15 minutes unless the user first authenticates.
Microsoft has found that attackers within minutes may generate a primary refresh token, a single sign-on feature giving them “long-term persistence.” In other cases, likely to stay under the radar, they appear to have “waited several hours before creating malicious inbox rules or exfiltrating sensitive email data.”
Microsoft said the latest device code phishing lures are sophisticated, often involving a malicious attachment or link to a website that attempts to pressure them into taking action. On the back end, targets often get redirected through multiple layers – including not just legitimate sites but also “Vercel (*.vercel.app), Cloudflare Workers (*.workers.dev) and AWS Lambda domains” before landing on the actual phishing page, it said.
Defensive Advice
Device code phishing poses multiple challenges for defenders, not least if an attack succeeds. “Because credentials are never exposed, traditional controls such as password resets and credential monitoring provide no relief, leaving defenders without the indicators they rely on to detect or contain account compromise,” ReliaQuest said.
Because of such risks, Microsoft labels device codes a “high-risk authentication method” and recommends organizations use conditional access policies in Entra to “allow device code flow only where necessary.” In all other cases, it recommends blocking device code authentication flows.
The Cloud Security Alliance said Entra-using organizations must factor device code defenses into their phishing defenses and zero trust posture.
“Organizations should prioritize phishing-resistant factor adoption for high-risk populations – executives, system administrators and anyone who owns or oversees AI agent deployments – and configure Conditional Access policies in Entra, Okta and Google Workspace to require phishing-resistant authentication for privileged and high-value contexts,” the CSA recommended in a May security advisory.