New Forg365 phishing platform uses AI to target Microsoft 365 accounts
New Forg365 phishing platform uses AI to steal Microsoft 365 accounts via AiTM and device code methods.
Summary
A new phishing-as-a-service (PhaaS) operation named Forg365 is targeting Microsoft 365 accounts by employing adversary-in-the-middle (AiTM) and device code phishing techniques. The platform leverages AI for generating phishing lures and includes a browser extension for persistent access to compromised accounts. Researchers note the integration of AI reduces development costs for both phishing content and PhaaS platforms.
Full text
New Forg365 phishing platform uses AI to target Microsoft 365 accounts By Bill Toulas July 9, 2026 10:39 AM 0 A new phishing-as-a-service (PhaaS) operation called Forg365 focuses on stealing Microsoft 365 accounts by combining adversary-in-the-middle (AiTM) and device code methods with AI-assisted lure generation. The platform also provides a browser extension for continued access to the Microsoft services linked to the compromised accounts without the need to re-authenticate. Researchers at ZeroBEC email security company say that many of the features in Forg365 are present in other infamous PhaaS platforms such as Kali365 and Sneaky2FA, although they could not establish a connection. Their investigation began by analyzing phishing emails that posed as business documents, carefully crafted to mimic a trusted service. "The observed sender domain used Amazon SES delivery, while the message body included SendGrid-hosted image or tracking resources," ZeroBEC says in a report today. This combination of legitimate services and phishing infrastructure indicates a mature PhaaS operation capable of blending its messages into regular email traffic. The platform features device-code phishing, adversary-in-the-Middle (AiTM) phishing, AI-assisted email content generation, token and cookie management, and post-compromise operations. Digging deeper, the researchers obtained access to the Forg365 dashboard, which allows creating new phishing campaigns, manage phishing links, configure OAuth apps and SMTP profiles, manage tokens, and generate phishing emails with the help of AI. The Forg365 panelSource: ZeroBec Although the use of AI in crafting custom phishing lures is not new, the researchers highlight that the feature is directly integrated in Forg365's panel, allowing the operator to create the malicious emails, prepare the text, and refine the messages from the same dashboard used to control the post-compromise activity. According to the researchers, this integration is strategic, as "AI reduces the cost of developing custom phishing content, but it also reduces the cost of building custom PhaaS platforms." AI-assisted email content generationSource: ZeroBec The panel also includes an account intelligence dashboard and a keyword monitoring feature that scans compromised mailboxes for predefined terms, alerting operators whenever a match is detected. Operators are provided a browser extension called ForgCookie that is compatible with Google Chrome, Microsoft Edge, and Brave, and is specifically designed for automatically refreshing Microsoft SSO cookies. The extension works by requesting account data from the Forg365 backend, clearing session cookies, and triggering a silent OAuth flow to capture the fresh cookies. This provides the attacker with persistent access to the Microsoft services associated with the victim's account. The ForgCookie extensionSource: ZeroBec According to ZeroBEC, Forg365 supports two primary attack paths: the trending device-code phishing and the more traditional AiTM phishing. In the first case, victims are shown a Microsoft-style verification code page and instructed to complete authentication using Microsoft's device-code flow designed for any endpoint with input constraints (e.g. smartTV, IoT appliances, tools without a browser). Rather than targeting the victim’s password directly, the victim is tricked into authorizing an attacker-controlled gadget through the legitimate OAuth 2.0 device code flow authentication method. The device-code phishing methodSource: ZeroBec For AiTM phishing, the platform uses a proxy for the authentication requests and data exchanged between the Microsoft infrastructure and the target account, capturing session cookies in the process. To prevent researchers from accessing the administration panel, Forg365 has an AntiBot feature that boasts "AES-encrypted redirectors, bot detection, debugger traps, sandbox checks, and polymorphic code." Additionally, when a VPN connection is detected, the platform redirects to innocuous content instead of exposing the phishing pages. ZeroBec reports that the platform leverages Amazon SES for phishing email delivery and Cloudflare Pages for the landing pages. Also, the Gophish infrastructure is used for campaign delivery. Users are recommended to restrict or disable Microsoft device-code authentication unless required and to monitor Microsoft Entra logs for device-code authentication events. Mailbox rules, new device sign-ins, Microsoft Authentication Broker activity, and OAuth grants must also be investigated for unexpected entries. If a compromise is suspected, all tokens and sessions must be revoked and refreshed as soon as possible. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: ARToken PhaaS exposes EvilTokens' Microsoft 365 phishing toolkitWebinar tomorrow: Why modern email attacks require a new approach to defenseWebinar: How attackers bypass MFA and how defenders can respondNew attack turned Microsoft 365 Copilot into 1-click data theft toolOpenClaw AI agent found falling for phishing attacks, spills user data