Forg365 Phishing Platform Leverages AI and AiTM to Target Microsoft 365 Accounts
A new phishing-as-a-service platform, Forg365, combines advanced techniques like adversary-in-the-middle (AiTM) and device code phishing with AI-generated lures to steal Microsoft 365 credentials.

A new phishing-as-a-service (PhaaS) operation named Forg365 has emerged, specifically targeting Microsoft 365 accounts through a sophisticated combination of adversary-in-the-middle (AiTM) and device code phishing techniques. This platform distinguishes itself by integrating AI to generate highly convincing phishing lures, aiming to bypass security measures and successfully harvest user credentials.
Researchers from ZeroBEC, an email security firm, have observed that Forg365 incorporates many features found in other notorious PhaaS platforms like Kali365 and Sneaky2FA, although a direct link between them remains unconfirmed. The operation's initial analysis revealed phishing emails disguised as legitimate business documents, meticulously crafted to mimic trusted services. These emails often utilized Amazon SES for delivery and SendGrid for hosting images or tracking resources, a common tactic for mature PhaaS operations to blend in with normal email traffic.
The Forg365 platform offers a comprehensive suite of tools for its operators, including device-code phishing, AiTM phishing, AI-assisted email content generation, robust token and cookie management, and capabilities for post-compromise operations. Access to the Forg365 dashboard allows users to create new phishing campaigns, manage phishing links, configure OAuth applications and SMTP profiles, and generate malicious emails with AI assistance.
The integration of AI for generating custom phishing content is a significant aspect of Forg365. This feature is directly embedded within the operator's dashboard, enabling the creation and refinement of malicious emails from the same interface used to manage post-compromise activities. According to ZeroBEC, this strategic integration not only reduces the cost of developing tailored phishing content but also lowers the barrier to entry for building custom PhaaS platforms.
Beyond lure generation, the platform includes an account intelligence dashboard and a keyword monitoring feature that scans compromised mailboxes for specific terms, alerting operators to potential opportunities. A notable component is the ForgCookie browser extension, compatible with Chrome, Edge, and Brave. This extension is designed to automatically refresh Microsoft Single Sign-On (SSO) cookies, allowing attackers to maintain persistent access to a victim's Microsoft services without requiring re-authentication.
Forg365 supports two primary attack vectors. The first is device-code phishing, where victims are directed to a Microsoft-style verification page and prompted to authenticate using Microsoft's legitimate device-code flow. This method tricks users into authorizing an attacker-controlled device through the OAuth 2.0 flow, rather than directly targeting passwords. The second is AiTM phishing, which employs a proxy to intercept authentication requests and session cookies exchanged between Microsoft infrastructure and the target account.
To thwart security researchers and automated analysis, Forg365 incorporates an AntiBot feature. This includes AES-encrypted redirectors, bot detection, debugger traps, sandbox checks, and polymorphic code. The platform also redirects detected VPN connections to innocuous content, further obscuring its phishing pages. Infrastructure for the operation includes Amazon SES for email delivery, Cloudflare Pages for landing pages, and Gophish for campaign management.
Security recommendations for mitigating Forg365 attacks include restricting or disabling Microsoft device-code authentication where not strictly necessary, and closely monitoring Microsoft Entra logs for suspicious device-code authentication events. Additionally, organizations should investigate mailbox rules, new device sign-ins, Microsoft Authentication Broker activity, and OAuth grants for unexpected entries. In the event of a suspected compromise, revoking and refreshing all affected tokens and sessions promptly is crucial.