A newly documented phishing-as-a-service platform distributed through Telegram is lowering the technical barrier to Microsoft 365 account takeovers by giving less-skilled attackers automated tools to evade some authentication controls and retain access after compromise.
The platform, called Forg365, uses AI-assisted lure creation alongside device-code abuse and adversary-in-the-middle techniques, according to research published by security company ZeroBEC.
Forg365 was offered with a five-day free trial, followed by subscriptions priced at $400 per month or $3,800 per year, the researchers said.
Customers can build phishing lures and control email delivery through a single operator panel. They can also manage captured account data and monitor compromised Microsoft 365 mailboxes. The service includes templates that impersonate widely used business platforms such as DocuSign, Adobe Acrobat Sign, SharePoint, and OneDrive.
“Phishing-as-a-service has been around for quite a few years,” said Jonathan Ong, senior analyst for managed security services at Omdia. “But the degree to which AI is integrated into Forg365 and enables users is what makes it concerning.”
Forg365’s significance lies in the industrialization and productization of the operator workflow, according to Devashri Datta, a cybersecurity researcher. “It integrates AI-assisted lure creation, evasion, and post-compromise mailbox operations into a subscription service distributed through Telegram,” Datta said.
How Forg365 works
ZeroBEC said the campaign it investigated began with an email built around a business-document and remittance-approval pretext. The message relied on legitimate cloud and email services before sending the recipient through several redirects.
Forg365 classified visitors before deciding whether to display a device-code phishing page, an adversary-in-the-middle flow, or a harmless decoy.
In the device-code attack, the victim is directed to a legitimate Microsoft authentication process and persuaded to enter a code that authorizes a session controlled by the attacker. The involvement of genuine Microsoft infrastructure can make the request appear credible.
The platform can also relay authentication through an adversary-in-the-middle attack and capture session information. ZeroBEC said suspicious visitors were diverted to a benign page, helping the operators conceal the phishing flow from researchers and automated security tools.
Complicating incident response
A browser extension called ForgCookie allows attackers to generate and refresh Microsoft single sign-on cookies from their own browsers, ZeroBEC said.
Forg365 also advertises tools for keeping sessions active and monitoring a compromised inbox. Read-only access to the mailbox can then be shared through a password-protected link.
As a result, resetting a password may not remove the attacker. Stolen refresh-token material or an attacker-controlled session could remain usable after the password is changed. Any devices registered during the compromise must also be investigated.
“CISOs should treat two controls as co-equal priorities rather than sequential ones,” Datta said, referring to tightly restricting device-code authentication and deploying phishing-resistant MFA such as FIDO2 or WebAuthn passkeys.
Organizations that do not require device-code authentication should consider blocking it in Microsoft Entra ID, said Keith Prabhu, founder and CEO of Confidis. This can disrupt the device-code component of a Forg365 campaign, although it would not stop attacks that rely on adversary-in-the-middle techniques or stolen session cookies.
Companies that still depend on device-code authentication should identify legitimate uses before imposing a broader restriction. Exceptions may be needed for some command-line tools, conference-room systems or other devices with limited input capabilities.
Deploying phishing-resistant authentication may also require hardware security keys or managed smartphones and could increase support requests during the transition, Datta said.
After detecting a compromise, response teams should revoke active refresh tokens and terminate existing sessions. Prabhu also recommended reviewing and revoking unauthorized OAuth permissions. Because ForgCookie runs in the attacker’s browser, defenders should look for repeated silent sign-ins and non-interactive Microsoft Graph activity from unfamiliar addresses, according to ZeroBEC.
Mailbox forwarding rules and delegated access should be reviewed for unauthorized changes, Prabhu said. Such changes could allow attackers to monitor communications or retain access after a password reset.
“IR teams should audit newly registered devices and remove any that cannot be attributed to the user,” Datta said. Teams should also check whether an attacker enrolled an unauthorized authenticator application or passkey during the compromise, she added.
ZeroBEC found that some devices registered during its investigation had names beginning with “Forg365,” giving defenders a possible indicator of compromise.
No Responses