Security researchers have uncovered Forg365, a phishing-as-a-service (PhaaS) platform that uses artificial intelligence to create phishing campaigns targeting Microsoft 365 users.

The platform combines adversary-in-the-middle (AiTM) attacks with device-code phishing to steal Microsoft 365 accounts. It also includes tools that help attackers maintain long-term access to compromised accounts without requiring victims to log in again.

Forg365 Combines AI With Advanced Phishing Techniques

Researchers at email security company ZeroBEC discovered Forg365 while investigating phishing emails disguised as legitimate business documents.

The messages used trusted infrastructure, including Amazon SES for email delivery and SendGrid-hosted images and tracking resources, helping the phishing emails blend into normal business traffic.

According to ZeroBEC, the platform offers a wide range of features, including:

  • Device-code phishing
  • Adversary-in-the-middle (AiTM) phishing
  • AI-generated phishing emails
  • Token and cookie management
  • Post-compromise account management

Researchers note that several features resemble those found in other well-known phishing-as-a-service platforms, including Kali365 and Sneaky2FA, although no direct link has been confirmed.

Dashboard Automates Phishing Campaigns

After gaining access to the Forg365 administration panel, researchers found a fully featured dashboard that allows operators to manage phishing operations from a single interface.

The dashboard enables attackers to:

  • Launch new phishing campaigns
  • Create and manage phishing links
  • Configure OAuth applications and SMTP profiles
  • Store authentication tokens
  • Generate phishing emails using built-in AI tools

While AI-generated phishing emails have become increasingly common, ZeroBEC says Forg365 stands out by integrating AI directly into the campaign management panel. Operators can generate, edit, and refine phishing messages without leaving the dashboard used to control compromised accounts.

According to the researchers, integrating AI lowers both the cost of creating convincing phishing lures and the effort required to develop custom phishing-as-a-service platforms.

Platform Helps Maintain Long-Term Access

Forg365 also includes an account intelligence dashboard that monitors compromised inboxes for predefined keywords and alerts attackers whenever matching emails arrive.

Another notable feature is ForgCookie, a browser extension compatible with Google Chrome, Microsoft Edge, and Brave.

The extension automatically refreshes Microsoft single sign-on (SSO) cookies by requesting account information from the Forg365 backend, clearing existing session cookies, and silently completing an OAuth authentication flow to capture fresh credentials.

This allows attackers to maintain persistent access to Microsoft services linked to compromised accounts without repeatedly asking victims to authenticate.

Forg365 Supports Two Phishing Methods

According to ZeroBEC, Forg365 supports two primary attack techniques.

The first is device-code phishing, which abuses Microsoft’s legitimate OAuth 2.0 device authorization flow. Victims are presented with what appears to be an official Microsoft verification page and instructed to enter a device code.

Instead of stealing passwords directly, attackers trick users into authorizing an attacker-controlled device, giving them access to the victim’s Microsoft account.

The second method is AiTM phishing, where the platform acts as a proxy between Microsoft and the victim. This enables attackers to intercept authentication traffic and capture valid session cookies after login.

Anti-Analysis Features Hide the Platform

Forg365 includes several protections designed to prevent security researchers from accessing its infrastructure.

According to ZeroBEC, the platform features AES-encrypted redirectors, bot detection, debugger traps, sandbox detection, and polymorphic code to frustrate analysis.

It also detects VPN connections and redirects visitors to harmless content instead of displaying phishing pages or the administration panel.

Researchers found that Forg365 relies on Amazon SES to send phishing emails, Cloudflare Pages to host phishing landing pages, and Gophish to manage campaign delivery.

How Organizations Can Protect Microsoft 365 Accounts

ZeroBEC recommends restricting or disabling Microsoft device-code authentication unless it is required within the organization.

Security teams should also monitor Microsoft Entra logs for device-code authentication events, investigate unexpected mailbox rules, new device sign-ins, OAuth permission grants, and Microsoft Authentication Broker activity.

If an account compromise is suspected, administrators should immediately revoke all active sessions and authentication tokens before forcing users to re-authenticate.


0 responses to “Forg365 Phishing Platform Uses AI to Target Microsoft 365 Accounts”