microsoft.com/devicelogin, which authorizes the attacker's client) A companion browser extension, ForgCookie, is compatible with Chrome, Edge, and Brave . Once the victim's session tokens or cookies are harvested, ForgCookie automatically refreshes stolen session cookies, allowing the attacker to maintain access to Microsoft 365 services (Outlook, Teams, OneDrive, SharePoint) without re-authentication — even after the victim changes their password
. This turns a one-time token grab into persistent, long-term compromise.
Disclosed by ReliaQuest and BleepingComputer on July 14, 2026, Jalisco is a device-code phishing kit actively used against Microsoft 365 accounts . It works by:
This means MFA is not "broken" — it is weaponized.
Also reported July 14, 2026, OmegaLord takes a different approach: it masquerades as a fake PDF reader browser page . When victims land on the page:
Multiple sources confirm a broader industry trend:
The critical insight across all these threats is that MFA is not technically defeated — it is co-opted:
| Technique | What Happens | Why MFA Doesn't Stop It |
|---|---|---|
| Device-code phishing | Victim enters attacker's code at Microsoft's real login page, completes their own MFA | The token goes to the attacker's app. MFA approved the right user — for the wrong client. |
| AiTM proxying | Victim logs in through attacker's proxy, MFA completes normally | Attacker captures the session cookie in real time and hijacks the session. |
| Credential + OTP harvesting | Fake login form captures password and OTP simultaneously | OTP is used immediately by the attacker before it expires. |
Based on multiple advisories, the following mitigations are strongly recommended:
devicecode authentication).offline_access, Mail.Read, or Files.ReadWrite.All permissions.These recommendations are drawn from the FBI PSA , Microsoft Security Blog
, BleepingComputer
, and ReliaQuest threat analysis
.
The 2026 wave of Microsoft 365 phishing — led by Forg365 (with its ForgCookie persistence extension), Jalisco, OmegaLord, and the broader ecosystem of device-code and AiTM kits — represents a paradigm shift. Attackers no longer need to steal passwords or break MFA. Instead, they abuse the OAuth trust model to make the victim's own authentication authorize an attacker-controlled session. The security community's consensus recommendation is a zero-trust posture: disable unused auth flows, enforce Conditional Access, monitor token grants, and move toward phishing-resistant MFA .