Back to all lessons
Awareness Lessons
3 days ago

AI-Powered Phishing-as-a-Service Platform Targets Microsoft 365 Accounts

The Forg365 platform represents a significant evolution in phishing threats by combining AI-generated lures with adversary-in-the-middle (AiTM) and device code phishing techniques, enabling attackers to bypass traditional multi-factor authentication. By automating phishing content creation with AI, the barrier to entry for cybercriminals has dropped dramatically, making sophisticated attacks more scalable and harder to detect. The inclusion of a malicious browser extension further enables persistent access even after password resets, extending the attacker's foothold. This matters because Microsoft 365 accounts are a high-value target holding sensitive business data, email communications, and access to interconnected cloud services — compromise of one account can cascade across an entire organization.

Tactical Insight

Immediate actions

  • Enforce phishing-resistant MFA methods (e.g., FIDO2/hardware security keys) instead of SMS or app-based OTP, which AiTM attacks can bypass.
  • Audit and restrict which browser extensions are permitted on corporate devices using endpoint management policies.
  • Enable Microsoft Conditional Access policies to block sign-ins from unexpected locations, devices, or token replay attempts.

Security awareness improvements

  • Train employees to recognize AI-generated phishing lures, emphasizing that polished, convincing language is no longer a sign of legitimacy.
  • Conduct regular simulated phishing exercises that include device code phishing scenarios to build staff recognition skills.

Detection & monitoring measures

  • Monitor Microsoft 365 audit logs for anomalous device code authentication requests, token usage from unexpected IP addresses, or new browser extension installations.
  • Deploy a CASB (Cloud Access Security Broker) or Microsoft Defender for Cloud Apps to detect and alert on suspicious OAuth token activity and session anomalies.