New Forg365 phishing platform uses AI to target Microsoft 365 accounts
Forg365 is a phishing-as-a-service platform targeting Microsoft 365 accounts by combining adversary-in-the-middle (AiTM) and device code phishing methods with AI-assisted email lure generation. It provides attackers with a dashboard to manage campaigns, generate phishing emails, and maintain persistent access via a browser extension that refreshes Microsoft SSO cookies. The platform uses legitimate services like Amazon SES and Cloudflare Pages to blend phishing emails into normal traffic and employs anti-analysis features to evade detection. Forg365 supports device-code phishing, tricking victims into authorizing attacker-controlled devices via OAuth 2.0, and AiTM phishing, capturing session cookies through proxying authentication requests. Recommended mitigations include restricting or disabling device-code authentication if not needed, monitoring Microsoft Entra logs and OAuth grants for suspicious activity, and revoking tokens and sessions if compromise is suspected.
AI Analysis
Technical Summary
Forg365 is a mature phishing-as-a-service platform designed to steal Microsoft 365 accounts by leveraging AI to generate phishing lures and combining two main attack vectors: device-code phishing and adversary-in-the-middle (AiTM) phishing. The platform includes a comprehensive dashboard for campaign management, OAuth app configuration, token management, and AI-assisted email crafting. It uses legitimate cloud services such as Amazon SES for email delivery and Cloudflare Pages for hosting phishing landing pages, enhancing its stealth. Forg365 also provides a browser extension, ForgCookie, to maintain persistent access by automatically refreshing Microsoft SSO cookies. The device-code phishing method abuses Microsoft's OAuth 2.0 device code flow to trick victims into authorizing attacker-controlled devices, while AiTM phishing proxies authentication requests to capture session cookies. Anti-bot and anti-analysis features prevent researchers from accessing the platform and detecting phishing pages. The platform's integration of AI reduces the cost and complexity of creating customized phishing campaigns and managing post-compromise activities.
Potential Impact
Successful exploitation results in theft of Microsoft 365 account credentials and persistent unauthorized access to associated services without requiring re-authentication. This enables attackers to access sensitive business documents, emails, and other resources within compromised accounts. The use of AI-assisted lure generation increases the likelihood of successful phishing by producing convincing and tailored emails. The persistent access facilitated by the ForgCookie browser extension allows attackers to maintain control over accounts even after initial compromise. The platform's use of legitimate cloud services and anti-analysis techniques complicates detection and response efforts.
Mitigation Recommendations
There is no patch applicable as this is a phishing platform rather than a software vulnerability. Users and administrators should restrict or disable Microsoft device-code authentication unless it is strictly required. Monitoring Microsoft Entra logs for device-code authentication events, mailbox rules, new device sign-ins, Microsoft Authentication Broker activity, and OAuth grants is recommended to detect suspicious activity. If compromise is suspected, all tokens and sessions should be revoked and refreshed immediately. Organizations should educate users about phishing risks and the specific tactics used by Forg365. No vendor advisory or official fix is available; mitigation relies on detection, monitoring, and user awareness.
New Forg365 phishing platform uses AI to target Microsoft 365 accounts
Description
Forg365 is a phishing-as-a-service platform targeting Microsoft 365 accounts by combining adversary-in-the-middle (AiTM) and device code phishing methods with AI-assisted email lure generation. It provides attackers with a dashboard to manage campaigns, generate phishing emails, and maintain persistent access via a browser extension that refreshes Microsoft SSO cookies. The platform uses legitimate services like Amazon SES and Cloudflare Pages to blend phishing emails into normal traffic and employs anti-analysis features to evade detection. Forg365 supports device-code phishing, tricking victims into authorizing attacker-controlled devices via OAuth 2.0, and AiTM phishing, capturing session cookies through proxying authentication requests. Recommended mitigations include restricting or disabling device-code authentication if not needed, monitoring Microsoft Entra logs and OAuth grants for suspicious activity, and revoking tokens and sessions if compromise is suspected.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Forg365 is a mature phishing-as-a-service platform designed to steal Microsoft 365 accounts by leveraging AI to generate phishing lures and combining two main attack vectors: device-code phishing and adversary-in-the-middle (AiTM) phishing. The platform includes a comprehensive dashboard for campaign management, OAuth app configuration, token management, and AI-assisted email crafting. It uses legitimate cloud services such as Amazon SES for email delivery and Cloudflare Pages for hosting phishing landing pages, enhancing its stealth. Forg365 also provides a browser extension, ForgCookie, to maintain persistent access by automatically refreshing Microsoft SSO cookies. The device-code phishing method abuses Microsoft's OAuth 2.0 device code flow to trick victims into authorizing attacker-controlled devices, while AiTM phishing proxies authentication requests to capture session cookies. Anti-bot and anti-analysis features prevent researchers from accessing the platform and detecting phishing pages. The platform's integration of AI reduces the cost and complexity of creating customized phishing campaigns and managing post-compromise activities.
Potential Impact
Successful exploitation results in theft of Microsoft 365 account credentials and persistent unauthorized access to associated services without requiring re-authentication. This enables attackers to access sensitive business documents, emails, and other resources within compromised accounts. The use of AI-assisted lure generation increases the likelihood of successful phishing by producing convincing and tailored emails. The persistent access facilitated by the ForgCookie browser extension allows attackers to maintain control over accounts even after initial compromise. The platform's use of legitimate cloud services and anti-analysis techniques complicates detection and response efforts.
Mitigation Recommendations
There is no patch applicable as this is a phishing platform rather than a software vulnerability. Users and administrators should restrict or disable Microsoft device-code authentication unless it is strictly required. Monitoring Microsoft Entra logs for device-code authentication events, mailbox rules, new device sign-ins, Microsoft Authentication Broker activity, and OAuth grants is recommended to detect suspicious activity. If compromise is suspected, all tokens and sessions should be revoked and refreshed immediately. Organizations should educate users about phishing risks and the specific tactics used by Forg365. No vendor advisory or official fix is available; mitigation relies on detection, monitoring, and user awareness.
Threat ID: 6a4fb48668715ace438e62ca
Added to database: 07/09/2026, 14:47:34 UTC
Last enriched: 07/09/2026, 14:47:44 UTC
Last updated: 07/10/2026, 02:32:36 UTC
Views: 30
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.