Forg365: The New AI-Powered Phishing Platform Turning Microsoft 365 Authentication Into a Weapon + Video

Listen to this Post

Featured Image

Introduction: The Rise of Identity-Based Cyberattacks

Cybercriminals are rapidly moving beyond traditional password theft. Modern phishing campaigns are no longer just about tricking users into entering credentials on fake websites. Attackers are increasingly targeting authentication systems themselves, exploiting trusted platforms, legitimate cloud services, and identity workflows to gain persistent access to enterprise environments.

A newly discovered phishing-as-a-service (PhaaS) platform called Forg365 represents this dangerous evolution. Instead of operating as a simple phishing kit, Forg365 functions like a complete cybercrime business platform, offering attackers automated phishing campaigns, AI-generated messages, token theft capabilities, and long-term Microsoft 365 session hijacking tools through a subscription-based model.

Security researchers from ZeroBEC uncovered the operation while investigating business-themed phishing emails that ultimately led back to a professional-looking attacker control panel. Their findings reveal how cybercriminal groups are transforming phishing into a scalable service industry where even inexperienced criminals can launch sophisticated identity attacks against organizations worldwide.

Forg365 Turns Microsoft 365 Device Authentication Into a Phishing Weapon

A New Generation of Phishing-as-a-Service

Forg365 is not simply another phishing campaign. Researchers describe it as a fully commercialized cybercrime platform that follows the same business principles used by legitimate SaaS companies.

The service provides attackers with:

Automated phishing infrastructure

AI-assisted email creation

OAuth token theft

Session persistence tools

Credential management dashboards

Traffic filtering systems

Customer support through Telegram channels

The platform operates using a subscription model, offering a five-day free trial to potential customers. After testing, criminals can purchase monthly access for approximately $400 or annual access for around $3,800.

This pricing structure shows that Forg365 is not designed as a temporary criminal experiment. It is maintained, updated, and operated as a long-term cybercrime service.

How Forg365 Exploits Microsoft Device Code Authentication

Abusing a Legitimate Microsoft Feature

The core technique behind Forg365 is the abuse of Microsoft’s device code authentication flow.

Device code authentication was created to help users sign in on devices where entering passwords is difficult, such as smart TVs, command-line environments, or limited-input devices.

The normal process works like this:

A user receives a Microsoft authentication code.

The user enters the code on Microsoft’s official website.

Microsoft verifies the request.

The user grants access to the application.

However, attackers have discovered that victims can unknowingly authorize attacker-controlled applications by being manipulated into entering these codes.

Forg365 takes advantage of this trust relationship.

Victims are presented with realistic Microsoft authentication pages, making the attack appear legitimate. Instead of stealing passwords, attackers trick users into approving access tokens that provide direct access to Microsoft 365 accounts.

Token Theft Instead of Password Theft

Why Traditional Security Controls Are Becoming Less Effective

One of the most concerning aspects of Forg365 is that it does not need to capture passwords.

Once attackers obtain OAuth tokens, they can potentially access:

Outlook emails

Microsoft Teams conversations

OneDrive files

SharePoint documents

Internal company resources

Even changing a password may not immediately remove the attacker because stolen authentication tokens can remain valid.

Forg365 includes tools designed specifically for maintaining access, including a browser extension called ForgCookie.

This extension helps attackers refresh Microsoft Single Sign-On cookies and preserve access without requiring victims to authenticate again.

The result is a much more dangerous attack model: the attacker does not just break into an account; they establish a persistent identity foothold.

Forg365 Provides Multiple Attack Methods

Device-Code Attack Branch

The first attack method focuses on Microsoft device-code authentication abuse.

The attacker sends a phishing message containing a convincing business-related request. The victim is guided toward a Microsoft authentication process and unknowingly approves the attacker’s session.

The victim may never provide a password.

This makes traditional phishing detection methods less effective because there is no obvious fake login page collecting credentials.

AiTM Attack Branch

Forg365 also supports Adversary-in-the-Middle (AiTM) attacks.

This technique places attackers between the victim and the legitimate authentication process.

The platform can:

Capture session cookies

Intercept authentication data

Analyze network traffic

Redirect suspicious visitors to fake or harmless pages

The system even includes filtering mechanisms that identify VPN users and send them to harmless pages, helping attackers avoid automated security analysis.

A Professional Cybercrime Infrastructure Hidden Behind Telegram

Cybercriminals Are Building Businesses

Forg365 demonstrates how cybercrime has adopted the same operational models used by legitimate technology companies.

The entire platform is managed through Telegram channels where criminals handle:

Customer onboarding

Technical support

Payments

Updates

Distribution

This approach allows operators to remain anonymous while serving a global customer base.

The discovery also mirrors previous PhaaS platforms such as Kali365, which similarly targeted Microsoft 365 accounts through token theft techniques.

Abuse of Legitimate Cloud Services

Attackers Blend Into Normal Business Traffic

Forg365 campaigns do not rely only on malicious infrastructure.

Researchers found evidence that attackers abused legitimate services including:

Amazon Simple Email Service (SES)

SendGrid

Cloudflare-hosted infrastructure

Gophish phishing automation tools

By using trusted platforms, attackers can increase email delivery success and make detection more difficult.

Many organizations already communicate with these services, meaning malicious traffic can hide inside normal cloud activity.

Tracking the Attack Infrastructure

Evidence From Microsoft Entra Activity

During investigations, researchers observed Microsoft Entra activity connected to residential IP addresses associated with Comcast/Xfinity networks during device authorization attempts.

The activity later connected to Forg365 infrastructure hosted in Kyiv, Ukraine.

Compromised environments showed suspicious Entra-joined devices using names beginning with:

Forg365-

These predictable naming patterns provide defenders with useful detection opportunities.

Organizations monitoring new device registrations may identify these indicators before attackers expand their access.

Deep Analysis: Commands for Detecting Forg365 Activity

Microsoft Defender and Entra Investigation Commands

Security teams should investigate suspicious identity activity using Microsoft security tools.

Search Entra Sign-In Logs

Get-MgAuditLogSignIn | Where-Object {
$_.AuthenticationProtocol -eq "deviceCodeFlow"
}

Purpose:

Detect authentication attempts using Microsoft device-code flow.

Hunt Suspicious Device Registrations

kusto

DeviceInfo

| where DeviceName startswith Forg365-

Purpose:

Identify attacker-created devices linked to Forg365 campaigns.

Search OAuth Application Abuse

kusto

CloudAppEvents

| where ActionType contains Consent

Purpose:

Find unusual application permissions granted by users.

Monitor Risky Authentication Events

kusto

SigninLogs

| where RiskLevelDuringSignIn == high

Purpose:

Identify suspicious login behavior.

Investigate Token Abuse

kusto

SigninLogs

| where AuthenticationRequirement == multiFactorAuthentication

| where ConditionalAccessStatus == failure

Purpose:

Identify authentication attempts bypassing normal security policies.

What Undercode Say:

Forg365 represents a major turning point in the phishing ecosystem.

Cybercriminals are no longer focused only on stealing passwords.

The real target today is identity.

Cloud platforms have changed the security battlefield because access is no longer determined only by usernames and passwords.

Authentication tokens, browser sessions, application permissions, and device registrations have become valuable assets.

Forg365 proves that attackers understand modern enterprise security better than many organizations expect.

The use of AI inside the platform is especially concerning.

AI does not necessarily create completely new attack methods, but it dramatically improves the speed and quality of existing attacks.

A criminal with limited technical knowledge can now generate realistic business emails, customize phishing campaigns, and operate advanced token theft infrastructure.

The SaaS model of Forg365 also lowers the barrier for cybercrime.

Attackers no longer need to build their own infrastructure.

They can simply subscribe to a criminal service.

This creates an ecosystem where cybercrime becomes faster, cheaper, and more scalable.

Microsoft 365 environments are particularly attractive because they contain valuable corporate information.

A compromised email account can become a gateway into:

Financial fraud

Business email compromise

Data theft

Internal espionage

Ransomware preparation

The abuse of device-code authentication shows that legitimate security features can become dangerous when combined with social engineering.

Organizations cannot assume that users are safe simply because they are using official Microsoft pages.

Trust-based attacks are becoming the dominant threat.

Security teams must move from password protection toward identity monitoring.

Conditional Access policies, authentication analytics, device registration monitoring, and behavioral detection are becoming essential.

The future of cybersecurity will depend less on preventing every phishing email and more on detecting abnormal identity behavior.

Forg365 is another warning that attackers are investing heavily in automation.

Organizations must respond with equally advanced defensive automation.

✅ Fact: Forg365 abuses Microsoft device-code authentication.

Researchers confirmed that the platform uses legitimate Microsoft authentication workflows to trick victims into authorizing attacker-controlled sessions.

✅ Fact: Forg365 operates as a subscription-based PhaaS platform.
The service includes paid access models, automated tools, and customer support features similar to commercial software platforms.

❌ Unconfirmed: Every Forg365 attack is linked to one specific criminal group.
Current evidence shows infrastructure and activity patterns, but researchers have not publicly attributed the entire operation to a single threat actor.

Prediction

(+1) Microsoft and security vendors will continue improving identity protection systems, including stronger monitoring of device-code authentication and OAuth abuse. Organizations that adopt identity-focused security strategies will significantly reduce the impact of these attacks.

(-1) Phishing-as-a-service platforms like Forg365 are likely to become more advanced, with deeper AI integration, better automation, and improved evasion methods. Companies that continue relying only on passwords and traditional email filtering will remain highly vulnerable.

(+1) Future security solutions will increasingly focus on detecting abnormal user behavior, unauthorized application consent, and suspicious device registrations rather than only blocking malicious links.

(-1) Attackers will continue shifting toward token theft and session hijacking because these methods bypass many traditional security controls and allow long-term access without immediate detection.

▶️ Related Video (82% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.reddit.com/r/AskReddit
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube