Forg365 Phishing Platform Using AI to Attack Microsoft 365 Accounts

Forg365 Phishing Platform Using AI to Attack Microsoft 365 Accounts










Forg365 is a phishing-as-a-service platform that targets Microsoft accounts, combining AI-powered phishing, session theft, and post-compromise mailbox access in a single operator panel

The platform is reportedly distributed through Telegram, where criminals can access a 30-day trial, pay about per month, or choose an annual plan.

This subscription model shows how phishing operations are becoming more professional. Instead of building infrastructure from scratch, operators can use ready-made templates, sending tools, token storage, and AI-generated phishing emails.

Forg365 supports two major attack methods: device-code phishing and adversary-in-the-middle, or AiTM, phishing.

In a device-code attack, victims are shown a Microsoft-style verification page and asked to enter a code through a legitimate Microsoft sign-in process.

Forg365 Phishing Targets Microsoft 365

The Microsoft page may be legitimate, but the code grants an attacker access to an attacker-controlled session. This can bypass traditional password-focused security controls because the attacker may not need to steal the user’s password directly.

Device-auth phishing branch. (Source: Zerobec)
Device-auth phishing branch. (Source: Zerobec)

The AiTM component works differently. It places a phishing page between the victim and Microsoft’s real authentication services. The platform can capture session information, authentication tokens, and browser cookies after a successful login.

Forg365 also uses anti-bot and cloaking features to avoid security scanners. For example, researchers observed it redirecting traffic from VPN networks to harmless decoy websites instead of displaying phishing content.

AI is a major feature of the platform. Forg365 includes an in-panel tool for generating phishing emails and lures. Criminals can create more convincing business documents, invoices, voicemails, or password reset messages without relying on external AI tools.

Campaign-linked Forg365 panel variant  (Source: Zerobec)
Campaign-linked Forg365 panel variant (Source: Zerobec)

The panel also offers SMTP rotation, campaign scheduling, redirect links, encrypted SVG files, and templates impersonating services such as SharePoint, OneDrive, DocuSign, and Adobe Acrobat Sign.

The platform goes beyond the initial phishing stage. Its Token Vault feature can store captured authentication tokens. At the same time, Account Intel, mailbox search, keyword monitoring, and viewer links help attackers examine compromised inboxes.

A browser extension called ForgCookie reportedly automatically refreshes Microsoft single sign-on cookies, helping criminals retain browser-based access after the victim has authenticated.

According to ZeroBEC, researchers linked Forg365 activity to Microsoft Entra device-code events, Microsoft Graph access, and suspicious device registrations.

Some newly registered devices reportedly used names beginning with “Forg365,” making them a useful detection clue.

Investigators also identified campaign-linked infrastructure hosted in Kyiv, Ukraine, as well as traffic from a Comcast/Xfinity address during device-code activity.

AI-assisted phishing email generation in the Forg365 panel (Source: Zerobec)
AI-assisted phishing email generation in the Forg365 panel (Source: Zerobec)

Forg365 resembles other Microsoft -focused phishing services, including Kali365 and Sneaky FA. However, available evidence does not prove that the same operators run these platforms.

The stronger assessment is that Forg365 belongs to a growing class of commercial identity-phishing services that combine token theft, AiTM attacks, AI lures, and persistent account access. Organizations should restrict device-code authentication unless it is genuinely required.

Security teams should investigate Microsoft Entra logs for device-code sign-ins, Microsoft Authentication Broker activity, unusual Microsoft Graph access, new device registrations, and suspicious non-interactive sessions.

They should also revoke sessions and refresh tokens after a suspected compromise, since changing a password alone may not remove an attacker’s access.

Stop Accepting SLAs Written for 2019 SOCs – Here’s the 2026 AI SLA Vendor ChecklistDownload Free AI SOC SLA Guide

The post Forg365 Phishing Platform Using AI to Attack Microsoft 365 Accounts appeared first on Cyber Security News.






Abinaya





Go to cyber-security-news





by