"Threat actors use compromised accounts to access sensitive data, such as customer or employee personally identifiable information (PII), financial records, and internal communications stored in SharePoint and other SaaS platforms," ReliaQuest researchers warn.
How Jalisco weaponizes the OAuth device-code flow
ReliaQuest’s analysis identifies Jalisco as a purpose-built device-code phishing toolkit that exploits the OAuth 2.0 Device Authorization Grant flow to gain access to Microsoft 365 accounts. The attack pattern is straightforward in concept and efficient in execution: an attacker initiates a sign‑in request to a Microsoft service, prompting a device authorization code to be generated. Social engineering convinces the victim to visit Microsoft’s legitimate login page and enter that code, which has the effect of approving an attacker-controlled device.
Jalisco automates a key step: the toolkit “generates fresh Microsoft OAuth device codes automatically when a victim opens the phishing page.” By provisioning codes in real time, Jalisco sidesteps Microsoft’s 15‑minute validity window for device codes that was intended to limit device-code phishing. Operators can manage captured sessions and compromised accounts through a Jalisco web portal, and ReliaQuest has observed attackers registering as many as five rogue devices on a single compromised account — sometimes using benign-looking names containing “Microsoft” or “Windows” to lower suspicion.
OmegaLord’s PDF-reader ruse and the targeting of phone numbers
OmegaLord presents a different, more conventional phishing approach. It masquerades as a PDF reader and collects email addresses, passwords, and phone numbers from victims. ReliaQuest notes the explicit purpose of harvesting phone numbers: to help attackers intercept or hijack MFA requests or codes. As the researchers put it, "The explicit targeting of phone numbers is another example - alongside device code phishing - of how threat actors are directly engineering around MFA as a control."
OmegaLord’s method demonstrates that even as device-code phishing grows, traditional credential-harvesting remains effective and adaptable when paired with a focus on the additional data — like phone numbers — that enables bypassing multi-factor protections.
Rapid search, exfiltration, and extortion from compromised SaaS accounts
According to ReliaQuest, once an account is compromised the attacker’s goal is not long-term stealth but fast, high-value access: attackers search SharePoint and other SaaS services for sensitive material and often exfiltrate it within minutes. "Exfiltration typically occurs quickly, in as little as six minutes, before defenders have identified the breach," the researchers say. After data is taken, the observed follow-on is extortion: attackers demand payment and threaten to leak the material.
ReliaQuest’s concrete mitigations and the broader toolkit landscape
ReliaQuest offers specific configuration changes to blunt these techniques. Their recommendations include reducing the Microsoft Entra ID device‑registration limit from its default value of ‘50’ down to one or two; blocking device code authentication through Microsoft Entra Conditional Access; restricting the OAuth Device Authorization grant in Okta; and auditing and removing unnecessary app registrations. Those steps are presented as ways to reduce both the initial attack surface and the operational burden during remediation.
The report also places Jalisco in a lineage of device-code toolkits, naming EvilTokens, Kali365, Tycoon2FA, Venom, and Forg365 as other tools that rely on the device-code method — underscoring that the technique is well established and evolving.
What this means for security teams, enterprises, and end users
- Technologists and security teams: monitor device registrations closely, tighten Entra ID device‑registration limits, and consider Conditional Access controls to block device code authentication. ReliaQuest’s findings emphasize fast detection — exfiltration can occur in minutes — so response playbooks must assume rapid data theft.
- Affected enterprises and procurement leaders: audit SharePoint and other SaaS repositories for exposed PII and financial records, remove unnecessary app registrations, and prioritize controls that restrict OAuth Device Authorization grants where supported (the report specifically mentions Okta and Microsoft Entra Conditional Access).
- End users and the general public: be alert to social engineering that asks you to enter a device authorization code on a legitimate login page at someone else’s request; credential-and-phone-number harvesting via fake PDF readers remains a live threat that directly aids MFA bypass.
Two converging trends stand out from ReliaQuest’s work: attackers are simultaneously automating device-code provisioning to neutralize short-lived codes and still relying on classic credential collection to gather the auxiliary data that defeats MFA. The fix they recommend is equally concrete — reduce default device-registration allowances and close off device-code authentication paths — but implementation will require administrators to change defaults and enforce tighter app governance before the next wave of compromises arrives.




