Cybersecurity researchers have uncovered a new phishing as a service platform called Forg365 that is targeting Microsoft 365 users through a combination of device code phishing, adversary in the middle techniques, artificial intelligence generated lures, and post compromise mailbox operations. According to findings from email security company ZeroBAC, the platform is being distributed through Telegram and is offered under a subscription model priced at $400 per month or $3,800 annually. The service provides cybercriminals with a complete toolkit that enables them to launch sophisticated phishing campaigns with minimal technical expertise, highlighting the growing industrialization of phishing operations.
Researchers said Forg365 relies on phishing lures delivered through legitimate email infrastructure, including Amazon Simple Email Service and Twilio SendGrid, allowing malicious messages to blend in with normal email traffic. Attack chains often use business document themes and remittance approval requests to persuade recipients to click on malicious links that eventually redirect them to domains controlled by the operators. Once registered through Telegram, customers gain access to a web based management panel where they can generate phishing lures, configure campaigns, manage captured tokens, and monitor compromised accounts. ZeroBAC noted that the platform combines multiple capabilities into a single service, including lure creation, campaign delivery, infrastructure rotation, token handling, and post compromise operations. Researchers said the platform shares similarities with other phishing ecosystems such as Kali365, Octopi365, Freedom365, and Sneaky 2FA, all of which have contributed to lowering the barrier to entry for cybercriminal activity.
One of the more concerning features of Forg365 is its support for device code phishing attacks. In these campaigns, victims are presented with a Microsoft styled verification page and directed to a legitimate Microsoft Authentication Broker sign in process. While the authentication page itself is genuine, the verification code authorizes an attacker controlled session, allowing cybercriminals to gain access without stealing traditional login credentials. The platform also employs adversary in the middle techniques that use route tokens, session cookies, and traffic classification to determine whether a visitor should be shown phishing content or harmless decoy pages. If a virtual private network connection is detected, the system redirects users to benign content to avoid exposing the phishing infrastructure to security researchers and automated analysis tools.
Researchers also identified a browser extension named ForgCookie designed for Chromium based browsers, including Google Chrome, Microsoft Edge, and Brave. The extension is intended to maintain long term access to compromised accounts by automating cookie refresh operations and silently generating authenticated sessions across Microsoft services. Beyond credential theft, Forg365 supports extensive post compromise activities, including monitoring compromised mailboxes for specific keywords and using artificial intelligence to draft responses within active email conversations. The disclosure comes as security researchers continue to track a wide range of phishing campaigns using similar techniques, including attacks involving Kali365, EvilTokens, GPPStorm, Nyasher, and The Quarry. Experts recommend that organizations disable device code authentication where it is not required, review mailbox activities following authentication events, audit mail flow rules, and remove legacy email aliases that are no longer associated with active employees. According to ZeroBAC, many of these campaigns succeed because attackers exploit outdated configurations and trusted email relationships that allow malicious messages to reach users without raising suspicion.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.