Forg365 Phishing Platform Targets Microsoft 365 Accounts With AI and Device-Code Abuse
Forg365 is a new phishing-as-a-service platform designed to steal Microsoft 365 accounts through several attack methods, including adversary-in-the-middle phishing, device-code abuse, AI-generated phishing emails, and post-compromise tools.
The platform has emerged shortly after the exposure of the ARToken phishing platform. Researchers at ZeroBEC found similarities between Forg365 and other phishing platforms such as Kali365 and Sneaky2FA, but they could not confirm a direct connection.
Forg365 campaigns use trusted cloud services
Forg365 campaigns send phishing emails disguised as trusted business documents.
Observed campaigns used Amazon SES for email delivery and SendGrid-hosted images or tracking resources. The platform also uses Cloudflare Pages for landing pages and Gophish infrastructure for campaign delivery.
By combining legitimate cloud services with malicious infrastructure, Forg365 can make phishing emails blend into normal business traffic more effectively.
Operators get a full phishing dashboard
Forg365 includes a central dashboard for creating and managing phishing campaigns.
Operators can configure phishing links, OAuth applications, SMTP profiles, tokens, and stolen account data from the panel. The dashboard also includes tools for managing cookies and carrying out post-compromise actions after an account has been accessed.
The platform also includes AI-generated email content directly inside the control panel, allowing operators to create, edit, and refine phishing messages without using separate tools.
Forg365 abuses Microsoft device-code authentication
One of Forg365’s key features is device-code phishing.
The platform can show victims a fake Microsoft-style verification page and ask them to enter a device code. The victim then authorizes a device controlled by the attacker through Microsoft’s legitimate OAuth device-code flow.
This technique does not always require the attacker to steal the victim’s password directly. Instead, the victim can unknowingly approve access for the attacker’s device.
AiTM phishing captures session cookies
Forg365 also supports traditional adversary-in-the-middle phishing attacks.
In this setup, a proxy sits between the victim and Microsoft’s authentication infrastructure. The platform captures authentication data and session cookies as they pass through the proxy.
Stolen session cookies can allow attackers to bypass some multi-factor authentication protections and access Microsoft 365 accounts without repeating the full login process.
ForgCookie extension helps maintain access
Operators also receive a browser extension called ForgCookie.
The extension works with Google Chrome, Microsoft Edge, and Brave. It retrieves account information from the Forg365 backend and refreshes Microsoft single sign-on cookies.
ForgCookie clears existing session cookies and triggers a silent OAuth process to obtain fresh ones. This can help attackers maintain access without forcing the victim to authenticate again.
Forg365 can monitor compromised mailboxes
Forg365 also includes mailbox monitoring features.
The platform can scan compromised mailboxes for predefined keywords and alert operators when matching messages appear. This could help attackers find sensitive conversations, financial information, credentials, or business opportunities inside a victim’s mailbox.
AntiBot features target researchers and security tools
Forg365 includes an AntiBot system designed to block researchers and automated security tools.
Its advertised protections include encrypted redirects, debugger traps, sandbox checks, bot detection, and polymorphic code. When VPN usage gets detected, visitors may land on harmless content instead of the real phishing page.
How organizations can reduce Forg365 risk
Organizations should disable or restrict Microsoft device-code authentication unless they genuinely need it.
Security teams should monitor Microsoft Entra logs for unusual device-code authentication events, unexpected OAuth grants, mailbox rules, new device sign-ins, and Microsoft Authentication Broker activity.
If an account may have been compromised, administrators should revoke all active sessions and tokens immediately. They should also reset credentials, review authentication methods, and check any affected OAuth permissions.
Forg365 is not the only recent campaign targeting Microsoft 365 users. Another campaign recently targeted Microsoft Entra passkeys, while Microsoft has also advised organizations not to delay Windows updates and has expanded its AI-driven security strategy.
Via BleepingComputer
Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more
User forum
0 messages