Threat Analysis: MFA-Bypassing Phishing Kits and AI-Accelerated Attack Infrastructure, What UK SMBs Need to Know
Hello, Mauven here.
This is your Daily Threat Analysis for 14th July 2026.
Today has two stories that belong together, because together they describe something that should concern anyone running a UK business on Microsoft 365. The first is a pair of active phishing kits that are defeating MFA. The second is a research finding that AI is now doing ninety percent of the work required to build criminal attack infrastructure. Those two developments are not unrelated. They are the direction of travel.
Jalisco and OmegaLord: When MFA Is No Longer the Answer
Two phishing kits, named Jalisco and OmegaLord, have been identified in active campaigns targeting Microsoft 365 accounts. The kits use techniques specifically designed to defeat multi-factor authentication. This is not a theoretical bypass. These are operational tools, available to criminal actors right now, being used in live attacks.
The techniques involved fall into two categories. The first is adversary-in-the-middle, where the phishing kit sits between the target and the legitimate Microsoft login page, proxying the authentication in real time. The target sees a convincing Microsoft login page, enters their credentials, receives and approves their MFA prompt, and the attacker captures a valid authenticated session token. The MFA step fires correctly. The attacker gets in anyway.
The second technique is device code phishing, which abuses a legitimate Microsoft authentication flow designed for devices without keyboards, smart TVs, printers, that sort of thing. The attacker tricks the target into authorising a device code they control. Once authorised, the attacker has persistent access that survives password resets.
I want to be direct about what the headlines are understating here. When people say these kits “bypass MFA,” it sounds like a technical quirk. It is not. It means that the single most commonly recommended defence for Microsoft 365 accounts, the thing your IT provider probably pointed to when you asked about account security, is now insufficient on its own against targeted attacks. The kits commoditise the bypass. Attackers do not need to be sophisticated to use them.
This matters disproportionately to UK SMBs for a specific reason. The professional services sector, accountants, solicitors, consultants, recruiters, runs heavily on Microsoft 365. These businesses hold client data, financial information, and business email that makes them worthwhile targets. They are also the sector most likely to have had MFA deployed as the primary control and left at that.
What you should be doing now, before September
Microsoft’s announced response to the broader MFA weakness problem is to make passkeys the default authentication method for Entra ID from September 2026. Passkeys are phishing-resistant by design, they are cryptographically bound to the domain, so an adversary-in-the-middle proxy cannot capture them the way it captures a standard MFA code. That is the right direction. September is, however, two months away, and these kits are active today.
In the interim, the controls that provide meaningful additional protection are:
- Conditional Access policies restricting authentication to compliant, managed devices. If a session originates from an unmanaged device, it does not complete, regardless of whether MFA is passed.
- Token binding and session lifetime limits in Entra ID, which reduce the window an attacker has to exploit a captured token.
- Phishing-resistant MFA methods where you can deploy them ahead of September, specifically FIDO2 security keys or Windows Hello for Business, which are not vulnerable to the adversary-in-the-middle technique.
- User awareness on device code authentication requests. Legitimate Microsoft services will not send users a device code to approve unless they initiated a device login themselves. Any unexpected device code authorisation request is an attack.
If your IT provider or MSP has not mentioned Conditional Access policies in recent months, ask them specifically what your current configuration looks like. “We have MFA” is no longer a complete answer.
AI Is Doing Ninety Percent of the Work Now
The second story today is from research published this week. A jailbroken instance of Google’s Gemini model was used by a Russian fraudster to spin up a fully functional command-and-control server in six minutes. The human did approximately ten percent of the work. The AI did the rest.
I will state upfront that this is research, a controlled observation of what happened in a specific documented case. I am not extrapolating that every threat actor now has this capability. What I am saying is that this is a documented proof of what is possible, and the timeline is six minutes.
The significance for UK SMBs is not that you will be targeted by someone using jailbroken Gemini specifically. It is that the barrier to building professional-grade attack infrastructure is collapsing. Phishing kits like Jalisco and OmegaLord are already commoditised and sold through criminal marketplaces. AI-assisted infrastructure setup reduces the technical overhead of running campaigns further still. The combination points toward a future, already partially arrived, where the volume and sophistication of attacks targeting smaller organisations continues to increase without the corresponding increase in attacker headcount.
Put plainly: more attacks, against more targets, with less effort required from the people running them.
Briefly Noted
Two further items worth flagging today, though neither rises to the level of the Microsoft 365 threat for most UK SMBs.
SAP has patched sixteen vulnerabilities across multiple products in its July 2026 security update, including three rated critical in NetWeaver, Commerce Cloud, and AppRouter. SAP is not a common presence in most UK SMB environments, but it is prevalent in mid-market and larger businesses, and in the supply chains of organisations those businesses work with. If you or your clients run SAP, check the July patch release.
Joomla extension vulnerabilities with CVSS 10.0 scores, the maximum, are being actively exploited in the wild. The affected extensions are iCagenda and Balbooa Forms. Joomla powers a meaningful share of the UK’s SMB web estate, particularly in sectors that have not refreshed their web presence recently. If your organisation’s website runs on Joomla, your hosting provider or web agency needs to confirm that all extensions are current and that the core installation is patched.
What to Do Today
- Check your Microsoft 365 Conditional Access configuration. If you do not know what it says, that is your answer.
- Ask your IT provider specifically about FIDO2 or Windows Hello deployment ahead of Microsoft’s September passkeys rollout.
- Confirm with your hosting provider that any Joomla installation is fully patched, including all third-party extensions.
- If your organisation uses SAP, prioritise the July patch release.
The MFA bypass story is the one that matters most today. Do not leave it for Monday.
Before the next story: if Threat Analysis is useful to you, follow the show wherever you listen so tomorrow’s briefing lands automatically. And if you know someone who is running a business on Microsoft 365 and thinks MFA alone has them covered, send this their way. It is a short conversation to have before it becomes a longer one.