Listen to this Post

Introduction: A New Era of Automated Cybercrime
Cybercriminals are entering a new phase where phishing attacks are no longer created manually by individual hackers. Instead, attackers are increasingly adopting professional cybercrime platforms that operate like legitimate software businesses. These Phishing-as-a-Service (PhaaS) operations provide ready-made tools, dashboards, automation features, and even artificial intelligence capabilities that allow less-skilled criminals to launch sophisticated attacks.
A newly discovered PhaaS platform called Forg365 represents this growing threat. The service is specifically designed to steal Microsoft 365 accounts by combining advanced techniques such as Adversary-in-the-Middle (AiTM) attacks, OAuth device-code phishing, AI-generated phishing emails, and persistent session hijacking tools.
Security researchers warn that Forg365 demonstrates how cybercriminal groups are transforming phishing from simple email scams into highly organized operations capable of bypassing traditional security controls and maintaining long-term access to enterprise environments.
Forg365 Emerges as a Dangerous Microsoft 365 Account Theft Platform
Security researchers from ZeroBEC have uncovered a new phishing-as-a-service operation named Forg365, a platform designed to compromise Microsoft 365 accounts through highly advanced social engineering techniques.
Unlike traditional phishing campaigns that simply attempt to steal usernames and passwords, Forg365 focuses on stealing authentication tokens, session cookies, and OAuth permissions. This allows attackers to bypass some forms of multi-factor authentication and maintain access even after victims change their passwords.
The platform combines several attack methods, including:
Adversary-in-the-middle phishing.
Microsoft device-code authentication abuse.
AI-generated phishing content.
OAuth application manipulation.
Token and cookie theft.
Automated account monitoring.
This combination makes Forg365 a powerful toolkit for cybercriminals who want persistent access to corporate Microsoft environments.
How Researchers Discovered the Forg365 Operation
The investigation began after ZeroBEC researchers analyzed suspicious phishing emails designed to appear as legitimate business communications.
The emails were carefully crafted to resemble trusted document-sharing notifications or corporate service messages. Instead of using obvious malicious infrastructure, the attackers relied on well-known legitimate services to make their campaigns appear more authentic.
Researchers discovered that:
Amazon SES was used for email delivery.
SendGrid-hosted resources were used for images and tracking.
Cloudflare Pages supported phishing landing pages.
Gophish infrastructure helped manage campaigns.
This approach demonstrates a common trend in modern cybercrime: attackers increasingly abuse trusted platforms to hide malicious activity inside normal internet traffic.
The Forg365 Dashboard: A Complete Cybercrime Control Center
One of the most concerning discoveries was the Forg365 administrative panel.
Researchers gained access to the dashboard and found that it provided attackers with a complete command center for running phishing campaigns.
The platform allows criminals to:
Create phishing campaigns.
Generate phishing links.
Configure SMTP profiles.
Manage OAuth applications.
Control stolen authentication tokens.
Create customized phishing emails.
Monitor compromised accounts.
The dashboard resembles a commercial marketing platform, but instead of managing legitimate campaigns, it helps criminals automate identity theft.
This development shows how cybercrime has become increasingly industrialized, with attackers purchasing ready-to-use solutions instead of building their own tools.
Artificial Intelligence Becomes a Weapon for Phishing Campaigns
One of the most notable features of Forg365 is its built-in artificial intelligence capability.
The platform allows attackers to generate and improve phishing emails directly inside the same control panel used for managing attacks.
Previously, criminals needed to manually write convincing messages or hire others with language skills. AI now reduces this barrier by allowing attackers to quickly create personalized messages targeting specific organizations or individuals.
The AI system can help criminals:
Create realistic business communication.
Mimic trusted companies.
Adapt messages for different industries.
Improve social engineering effectiveness.
Researchers highlighted that AI is not only reducing the cost of launching attacks but is also lowering the cost of developing entire phishing platforms.
ForgCookie: The Tool That Keeps Attackers Inside Victims’ Accounts
Forg365 includes a browser extension called ForgCookie, designed to maintain unauthorized access to compromised Microsoft accounts.
The extension works with popular browsers including:
Google Chrome.
Microsoft Edge.
Brave.
Its purpose is to automatically refresh Microsoft single sign-on cookies, allowing attackers to remain connected to compromised accounts without repeatedly asking victims to authenticate.
The process involves:
Requesting account information from the Forg365 backend.
Clearing existing session cookies.
Triggering OAuth authentication flows.
Capturing refreshed authentication cookies.
This gives attackers a powerful persistence mechanism.
Even if victims suspect suspicious activity and change passwords, stolen sessions may continue working unless administrators revoke active tokens and sessions.
Device-Code Phishing: Abusing Microsoft’s Legitimate Authentication System
Forg365 takes advantage of Microsoft’s device-code authentication system.
This authentication method was designed for devices that cannot easily display a browser, such as:
Smart televisions.
IoT devices.
Limited-interface systems.
Attackers abuse this legitimate feature by creating fake Microsoft verification pages.
Victims are instructed to enter a generated code, believing they are completing a normal security verification process.
However, the code actually authorizes an attacker-controlled device to access the victim’s Microsoft account.
The victim does not provide a password, but unknowingly grants access through OAuth authentication.
AiTM Attacks Allow Attackers to Bypass Security Protections
Forg365 also supports traditional adversary-in-the-middle attacks.
In this method, attackers place a malicious proxy between the victim and Microsoft’s real authentication infrastructure.
When the victim logs in:
Credentials are intercepted.
Authentication traffic is monitored.
Session cookies are captured.
Attackers gain access to active sessions.
This technique has become increasingly popular because it can bypass some multi-factor authentication protections.
Rather than breaking security systems directly, attackers exploit the trust relationship between users and legitimate authentication services.
Anti-Analysis Features Protect Forg365 From Researchers
Forg365 includes several security features designed to prevent researchers from analyzing the platform.
The system reportedly includes:
AES-encrypted redirectors.
Bot detection.
Debugger traps.
Sandbox detection.
Polymorphic code.
VPN detection.
When suspicious visitors are detected, the platform can redirect them to harmless content instead of displaying phishing pages.
This demonstrates that modern cybercrime platforms are adopting defensive techniques similar to those used by legitimate security software.
Recommended Security Measures Against Forg365 Attacks
Organizations using Microsoft 365 should take immediate steps to reduce exposure.
Recommended actions include:
Restrict Microsoft device-code authentication when unnecessary.
Monitor Microsoft Entra authentication logs.
Investigate unusual device-code login activity.
Review OAuth application permissions.
Check mailbox forwarding rules.
Monitor new device registrations.
Investigate unusual Microsoft Authentication Broker activity.
Revoke suspicious tokens and active sessions.
Security teams should also train employees to recognize unusual authentication requests and unexpected verification messages.
What Undercode Say:
The emergence of Forg365 represents a major shift in the cybersecurity landscape because it shows how phishing has evolved from simple deception into a complete criminal ecosystem.
Cybercriminals are no longer relying only on fake websites and stolen passwords.
They are building platforms with automation, artificial intelligence, analytics, and persistence mechanisms.
Forg365 demonstrates that the future of phishing is not only about tricking users but also about controlling entire authentication processes.
The integration of AI into phishing dashboards is particularly concerning.
AI allows attackers to produce convincing messages faster, customize campaigns, and target organizations with greater accuracy.
This means defenders are facing threats that can adapt faster than traditional security models.
The use of legitimate services such as Amazon SES and Cloudflare also creates additional challenges.
Security systems cannot simply block every trusted platform because businesses depend on these services for daily operations.
Attackers understand this weakness and hide malicious activity inside normal infrastructure.
The ForgCookie browser extension highlights another important issue: authentication tokens are becoming as valuable as passwords.
Modern attacks increasingly focus on stealing digital identity sessions rather than login credentials.
Organizations must recognize that protecting identities requires more than password policies.
Identity security now depends on monitoring sessions, OAuth permissions, device registrations, and application behavior.
The abuse of Microsoft device-code authentication is another warning sign.
Many organizations enable authentication features without fully understanding how attackers might misuse them.
Every convenience feature introduced into cloud platforms creates potential opportunities for abuse.
The cybersecurity industry must move toward continuous identity monitoring instead of relying only on prevention.
Attackers are becoming faster, more automated, and more professional.
PhaaS platforms like Forg365 lower the technical barrier for criminals who previously lacked advanced hacking skills.
The result is a larger number of attackers capable of launching enterprise-level campaigns.
Security teams should assume that phishing attempts will become more realistic, more personalized, and more difficult to detect.
The battle is shifting from preventing every attack to quickly identifying and limiting damage.
Organizations that fail to monitor identity activity may discover breaches only after attackers have already established persistence.
Forg365 is another example that cybersecurity is becoming an identity protection challenge.
The future of defense will depend on visibility, automation, threat intelligence, and rapid response.
Companies must test their security systems continuously because attackers are constantly testing theirs.
Deep Analysis: Commands
Command 1: Analyze the Threat Landscape
Threat Type: Phishing-as-a-Service (PhaaS)
Primary Target: Microsoft 365 enterprise accounts
Attack Goal: Account takeover, persistent access, data theft, business email compromise
Risk Level: Critical
Command 2: Analyze Attack Techniques
Technique 1: AiTM Phishing
Attackers intercept authentication communication and steal session cookies.
Technique 2: Device-Code Abuse
Attackers trick users into authorizing malicious devices through legitimate OAuth workflows.
Technique 3: AI Phishing Generation
Attackers automate convincing email creation.
Technique 4: Cookie Persistence
Attackers maintain access after initial compromise.
Command 3: Analyze Business Impact
Potential consequences include:
Corporate data theft.
Internal email monitoring.
Financial fraud.
Intellectual property exposure.
Supply chain attacks.
Additional employee compromise.
Command 4: Analyze Defensive Strategy
Organizations should prioritize:
Identity monitoring.
Conditional access policies.
OAuth application reviews.
Token lifecycle management.
Employee awareness training.
Continuous security testing.
✅ Confirmed: Forg365 is a real phishing-as-a-service operation investigated by security researchers.
ZeroBEC researchers documented the platform’s capabilities, including AiTM attacks, device-code phishing, and AI-assisted lure creation.
✅ Confirmed: Microsoft 365 authentication mechanisms are increasingly targeted by attackers.
Cloud identity systems have become a primary target because stolen sessions can provide long-term access.
❌ No evidence currently proves that Forg365 has compromised every organization using Microsoft 365.
The platform represents a serious threat, but individual victims depend on attacker campaigns and organizational defenses.
Prediction
(+1) AI-powered phishing platforms will continue growing because artificial intelligence makes it easier for criminals to create convincing attacks at a larger scale.
(+1) More cybersecurity solutions will focus on identity protection, behavioral monitoring, and automated detection of suspicious authentication activity.
(+1) Microsoft and other cloud providers will likely introduce stronger controls around OAuth abuse and device-code authentication.
(-1) Traditional email security systems will struggle as attackers increasingly use trusted services and AI-generated messages.
(-1) Organizations that depend only on passwords and basic MFA protections may experience more account takeover incidents.
(-1) The availability of PhaaS platforms will likely increase the number of low-skilled criminals capable of launching advanced cyberattacks.
▶️ Related Video (80% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.pinterest.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube




