Global Law Enforcement Cracks Down on Cybercrime, New Phishing-as-a-Service Emerges
Operation First Light 2026 arrests 5,811 suspects and seizes $293 million, while a new PhaaS operation, Forg365, targets Microsoft 365 accounts with AI-powered lures.

In a sweeping global effort, law enforcement agencies across 97 countries have dismantled significant criminal operations, resulting in 5,811 arrests and the seizure of approximately $293 million in illicit assets. Codenamed "Operation First Light 2026," the initiative, coordinated by Interpol and involving regional bodies like ASEANAPOL, GCCPOL, and Europol, ran from January to April and specifically targeted business email compromise (BEC) schemes, investment scams, and money laundering syndicates. This massive coordinated action saw over 31,000 fraudulent bank accounts and virtual wallets blocked, with investigators identifying more than 142,000 victims worldwide and flagging an additional 15,600 suspects for future prosecution.
Separately, a concerning new phishing-as-a-service (PhaaS) operation named Forg365 has been identified, posing a significant threat to Microsoft 365 enterprise accounts. This operation cleverly blends adversary-in-the-middle (AiTM) techniques with the OAuth 2.0 device code authentication flow, a method originally designed for input-constrained devices. Forg365 leverages AI to generate customized phishing lures, significantly lowering the barrier to entry for attackers. To maintain stealth, the operation routes its communications through legitimate Amazon SES infrastructure and hosts its landing pages on Cloudflare.
The technical mechanism employed by Forg365 is particularly insidious. Instead of directly stealing passwords, it tricks victims into authorizing an attacker-controlled gadget via a deceptive verification page. This initial compromise is then cemented by a specialized browser extension called ForgCookie, which operates silently across Microsoft Edge, Google Chrome, and Brave. This extension captures account data, clears session cookies, and triggers a hidden OAuth flow to obtain fresh authentication tokens, granting attackers persistent access to the victim's Microsoft services without requiring re-authentication.
Forg365 also incorporates robust anti-analysis features to evade detection by security researchers and defenders. The platform employs debugger traps, polymorphic code, and dynamic sandbox checks, even redirecting suspicious connections to innocuous websites when a VPN is detected. This sophisticated evasion makes it challenging to track and disrupt the PhaaS operation.
In a separate development, SentinelOne reported that suspected state-sponsored threat actors from both China and India have been independently targeting Pakistani law enforcement organizations for over two years. These cyberespionage campaigns, which ran between February 2024 and April 2026, focused on compromising critical network appliances and web servers within organizations like the Balochistan Police. Both nations sought visibility into Pakistan's internal security posture and counter-militancy operations.
The China-nexus intrusions utilized malware such as PlugX, ShadowPad, and Cobalt Strike, likely driven by concerns over the safety of Chinese nationals involved in regional infrastructure projects under the China-Pakistan Economic Corridor (CPEC). The Chinese government has reportedly expressed dissatisfaction with Pakistani protection measures due to ongoing terrorist attacks in the region.
Conversely, the India-nexus activity employed Remcos backdoors to gather intelligence on the restive Balochistan province, a persistent point of contention in the adversarial relationship between India and Pakistan. The dual targeting highlights the strategic importance of the region and the ongoing intelligence-gathering efforts by these state actors.
Organizations using Microsoft 365 can defend against Forg365 by monitoring Microsoft Entra logs for unusual device-code authentication events and considering disabling device-code flows if not essential. For the espionage campaigns, affected organizations should review network logs for indicators of compromise related to the mentioned malware families and ensure robust endpoint detection and response capabilities are in place.