Forg365 Phishing-as-a-Service Platform Turns Microsoft 365 Accounts Into Prime Targets Through AI-Powered Attacks and Token Theft + Video

Listen to this Post

Featured Image

Introduction: The New Era of Subscription-Based Cybercrime

Cybercriminal operations are becoming increasingly professional, with attackers no longer needing advanced technical skills to launch sophisticated campaigns. A newly discovered phishing-as-a-service (PhaaS) platform called Forg365 demonstrates how cybercrime has evolved into a subscription-based industry, offering ready-made tools that automate everything from phishing email creation to account takeover and long-term access.

Security researchers have uncovered Forg365 as a highly developed operation targeting Microsoft 365 users through advanced techniques including device code phishing, adversary-in-the-middle (AitM) attacks, AI-generated social engineering emails, and stolen authentication session abuse. The platform allows customers to rent access to an entire phishing ecosystem for $400 per month or $3,800 annually, lowering the barrier for attackers who previously lacked the skills required to conduct complex campaigns.

Forg365: A Cybercrime Service Built Like a Commercial Product

The Forg365 platform represents a significant shift in how phishing attacks are conducted. Instead of individual threat actors creating their own malicious infrastructure, attackers can now subscribe to complete attack frameworks that provide everything needed to compromise enterprise accounts.

Distributed through Telegram channels, Forg365 provides customers with an operational dashboard containing tools for campaign creation, phishing page management, OAuth configuration, email delivery settings, token storage, and victim intelligence tracking.

Security researchers described the platform as a mature criminal workflow that combines multiple stages of an attack into one centralized service. The system includes phishing link generation, automated email creation, SMTP rotation, campaign management, browser extension support, and stolen session handling.

Legitimate Services Used to Hide Malicious Campaigns

One of the reasons Forg365 campaigns are difficult to detect is their ability to blend malicious traffic with legitimate online services.

Attackers use trusted email delivery platforms such as Amazon Simple Email Service (SES) and Twilio SendGrid to distribute phishing messages. By using established infrastructure, attackers attempt to bypass traditional email security systems because the messages appear to originate from reputable platforms.

The phishing emails often imitate business-related communication, including document sharing notifications, invoice requests, payment approvals, and financial transfer requests. These themes are designed to create urgency and convince employees to click malicious links.

Device Code Phishing: Abusing

One of the most dangerous features of Forg365 is its device code phishing capability.

Instead of stealing a user’s password directly, attackers abuse Microsoft’s legitimate authentication flow. Victims are presented with a fake Microsoft verification page that looks authentic and instructs them to enter a security code.

However, the code is secretly being used by attackers to authorize their own malicious session. The victim may complete what appears to be a normal Microsoft login process while unknowingly granting access to an attacker-controlled account session.

This technique is particularly effective because it bypasses traditional password protections, including many forms of multi-factor authentication.

Adversary-in-the-Middle Attacks Enable Real-Time Account Hijacking

Forg365 also includes advanced adversary-in-the-middle capabilities, allowing attackers to intercept authentication sessions between users and Microsoft services.

The platform uses traffic analysis, session cookies, and routing tokens to determine whether a visitor should receive the phishing page or a harmless decoy.

If the system detects suspicious visitors, security researchers, or VPN connections, it can redirect them to fake harmless content. This anti-bot capability helps criminals hide their infrastructure and avoid detection.

ForgCookie Browser Extension Maintains Long-Term Access

Unlike traditional phishing campaigns that focus only on stealing usernames and passwords, Forg365 provides tools for maintaining persistent access after compromise.

The platform includes a Chromium browser extension called ForgCookie, designed to refresh stolen Microsoft authentication cookies automatically.

The extension reportedly works by:

Requesting compromised account information from the Forg365 backend.

Generating authentication cookies linked to stolen sessions.

Removing existing Microsoft browser cookies.

Injecting attacker-controlled authentication credentials.

Triggering silent OAuth authentication processes.

Collecting refreshed Microsoft session cookies.

This allows attackers to continue accessing Microsoft services even after victims change passwords or security teams attempt account recovery.

AI-Powered Features Make Business Email Compromise Easier

Forg365 expands beyond basic phishing by incorporating artificial intelligence into post-compromise activities.

Attackers can monitor compromised mailboxes for specific keywords, identify valuable conversations, and generate realistic email replies using AI assistance.

This capability increases the effectiveness of business email compromise (BEC) attacks because attackers can impersonate employees more convincingly and continue conversations without raising suspicion.

The combination of stolen access and AI-generated communication creates a dangerous environment where fraudulent invoices, payment requests, and internal messages can appear highly authentic.

The Growing Industrialization of Phishing-as-a-Service

Forg365 belongs to a larger ecosystem of phishing platforms that have transformed cybercrime into an accessible business model.

Researchers compared it with operations such as Kali365, Octopi365, Freedom365, and Sneaky 2FA. These platforms provide similar capabilities, including phishing templates, authentication bypass methods, token theft, and account management features.

The rise of these services means attackers no longer need deep technical expertise. Less experienced criminals can purchase access, launch campaigns, and operate at a scale previously limited to advanced threat groups.

Related Phishing Campaigns Show a Wider Attack Trend

The discovery of Forg365 comes as researchers continue identifying multiple phishing campaigns targeting cloud accounts.

Some attackers have used fake Microsoft security alerts sent from compromised SaaS accounts to redirect victims toward Sneaky 2FA-style phishing pages.

Others have abused platforms like Canva to host malicious content that triggers device code phishing attacks against Microsoft accounts.

Kali365-related campaigns have also introduced tools capable of opening compromised Outlook Web Access, OneDrive, SharePoint, and Microsoft administrator sessions directly through stolen tokens.

Another emerging threat involves phishing campaigns impersonating popular Russian messaging platforms, demonstrating how attackers adapt their lures based on regional interests.

Fake Government and Business Brands Used in Social Engineering

Threat actors continue to impersonate trusted organizations to increase success rates.

Researchers have observed campaigns pretending to represent:

The Internal Revenue Service (IRS)

Social Security Administration

Microsoft

Adobe

DocuSign

Dropbox

Google Partner programs

These campaigns often combine phishing with additional malware delivery, including remote access tools that allow attackers to control infected systems.

SMS Phishing Expands Into Real-Time Financial Theft

Beyond email attacks, cybercriminals are also improving mobile phishing techniques.

Fake USPS and UPS delivery messages have been used to redirect victims to fraudulent websites requesting personal and payment information.

Modern phishing kits can capture payment card details instantly, analyze card information, request additional authentication codes, and adjust their behavior depending on the victim’s responses.

This demonstrates that phishing has evolved from simple fake websites into interactive systems controlled by attackers in real time.

Security Recommendations for Microsoft 365 Users

Organizations can reduce the risk of Forg365-style attacks by strengthening identity security and monitoring authentication activity.

Recommended defensive measures include:

Blocking device code authentication when it is not required.

Reviewing mailbox activity after suspicious authentication events.

Monitoring unusual OAuth applications.

Auditing mail forwarding rules.

Removing outdated email aliases.

Reviewing legacy accounts from previous company acquisitions.

Detecting unusual login locations and session activity.

One important finding from researchers was that attackers sometimes exploit forgotten infrastructure, such as old email aliases or forwarding relationships, to bypass modern security controls.

Deep Analysis: How Forg365 Changes the Cybersecurity Landscape

What Undercode Say:

Forg365 represents a major evolution in cybercrime because it combines automation, artificial intelligence, and authentication abuse into a single commercial package.

The biggest concern is not only the technical sophistication of the platform, but the accessibility it provides.

In previous years, launching an advanced phishing operation required knowledge of web development, email infrastructure, malware techniques, and authentication systems. Forg365 removes many of those barriers by packaging these capabilities into a subscription service.

The rise of PhaaS platforms shows that cybercriminal groups are adopting legitimate software business models. They offer customer support, subscription pricing, dashboards, and automated features similar to commercial technology companies.

Device code phishing is especially concerning because many organizations have focused heavily on password protection and multi-factor authentication while underestimating alternative authentication abuse.

Attackers are increasingly moving away from stealing passwords and toward stealing trusted sessions. Once attackers obtain valid authentication tokens, they can often bypass security protections that depend on password changes.

AI integration makes these attacks even more dangerous. A compromised mailbox combined with AI-generated responses allows criminals to imitate employees, executives, and business partners with greater accuracy.

The future of phishing will likely involve more automation, where attackers operate large-scale campaigns with minimal human involvement.

Security teams must focus less on detecting individual phishing emails and more on identifying abnormal identity behavior.

Cloud environments require continuous monitoring because account compromise can happen even when traditional malware defenses remain effective.

Organizations should also review forgotten digital assets. Old domains, abandoned aliases, and historical forwarding rules can become hidden entry points for attackers.

The Forg365 discovery demonstrates that cybersecurity is moving into an identity protection era. Protecting accounts, sessions, tokens, and authentication workflows is now just as important as protecting devices.

Companies that rely heavily on Microsoft 365 should consider authentication restrictions, stronger conditional access policies, and regular identity audits.

The attack surface is no longer limited to computers and servers. User identities themselves have become valuable assets targeted by highly organized criminal ecosystems.

Forg365 is another warning that phishing is no longer a simple deception technique. It has become a scalable cybercrime industry supported by automation, AI, and specialized services.

✅ Confirmed: Security researchers identified Forg365 as a phishing-as-a-service platform targeting Microsoft 365 accounts through advanced phishing techniques, including device code phishing and adversary-in-the-middle attacks.

✅ Confirmed: The platform includes features for campaign management, token handling, and post-compromise activities, showing a high level of criminal automation.

❌ Not Confirmed: There is no public evidence that every attack using similar phishing methods originates from Forg365 specifically, as multiple competing phishing platforms operate in the same ecosystem.

Prediction

(+1) Organizations that adopt stronger identity security controls, disable unnecessary authentication methods, and monitor abnormal account behavior will significantly reduce the success rate of future Forg365-style attacks.

(-1) Attackers will likely continue expanding AI-powered phishing services, making future campaigns more personalized, automated, and difficult for employees to recognize.

(+1) Security vendors will increasingly focus on detecting stolen authentication sessions and abnormal cloud activity rather than relying only on traditional malware detection.

(-1) Small and medium businesses may remain vulnerable because many lack the resources needed for continuous identity monitoring and advanced Microsoft 365 security management.

▶️ Related Video (76% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.instagram.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube