AI-Powered Phishing-as-a-Service Platform Targets Microsoft 365 Accounts
The Forg365 platform represents a significant evolution in phishing threats by combining AI-generated lures with adversary-in-the-middle (AiTM) and device code phishing techniques, enabling attackers to bypass traditional multi-factor authentication. By automating phishing content creation with AI, the barrier to entry for cybercriminals has dropped dramatically, making sophisticated attacks more scalable and harder to detect. The inclusion of a malicious browser extension further enables persistent access even after password resets, extending the attacker's foothold. This matters because Microsoft 365 accounts are a high-value target holding sensitive business data, email communications, and access to interconnected cloud services — compromise of one account can cascade across an entire organization.
Tactical Insight
Immediate actions
- Enforce phishing-resistant MFA methods (e.g., FIDO2/hardware security keys) instead of SMS or app-based OTP, which AiTM attacks can bypass.
- Audit and restrict which browser extensions are permitted on corporate devices using endpoint management policies.
- Enable Microsoft Conditional Access policies to block sign-ins from unexpected locations, devices, or token replay attempts.
Security awareness improvements
- Train employees to recognize AI-generated phishing lures, emphasizing that polished, convincing language is no longer a sign of legitimacy.
- Conduct regular simulated phishing exercises that include device code phishing scenarios to build staff recognition skills.
Detection & monitoring measures
- Monitor Microsoft 365 audit logs for anomalous device code authentication requests, token usage from unexpected IP addresses, or new browser extension installations.
- Deploy a CASB (Cloud Access Security Broker) or Microsoft Defender for Cloud Apps to detect and alert on suspicious OAuth token activity and session anomalies.