Forg365 Phishing Platform Exploits AI to Target Microsoft 365 Accounts

A new phishing-as-a-service platform named Forg365 has emerged, specifically targeting Microsoft 365 accounts. This platform integrates artificial intelligence (AI) to enhance the effectiveness of phishing campaigns, offering cybercriminals a comprehensive suite of tools for credential theft and unauthorized access.

Forg365 is distributed via Telegram, providing a 30-day trial and subscription options at approximately $300 per month or an annual plan. This subscription model reflects the increasing professionalization of phishing operations, allowing attackers to utilize pre-built templates, sending tools, token storage, and AI-generated phishing emails without developing their own infrastructure.

The platform supports two primary attack methods: device-code phishing and adversary-in-the-middle (AiTM) phishing. In device-code phishing, victims encounter a Microsoft-style verification page prompting them to enter a code through a legitimate Microsoft sign-in process. While the Microsoft page is authentic, the code grants attackers access to a session they control, potentially bypassing traditional password-focused security measures.

In AiTM phishing, Forg365 inserts a phishing page between the victim and Microsoft’s genuine authentication services. This technique captures session information, authentication tokens, and browser cookies upon successful login, enabling attackers to hijack sessions and gain unauthorized access to accounts.

To evade detection, Forg365 employs anti-bot and cloaking features, such as redirecting traffic from VPN networks to benign decoy websites instead of displaying phishing content. AI integration is a significant aspect of the platform, featuring an in-panel tool for generating phishing emails and lures. This allows attackers to create convincing business documents, invoices, voicemails, or password reset messages without relying on external AI tools.

The platform also offers SMTP rotation, campaign scheduling, redirect links, encrypted SVG files, and templates impersonating services like SharePoint, OneDrive, DocuSign, and Adobe Acrobat Sign. Beyond the initial phishing stage, Forg365 includes a Token Vault for storing captured authentication tokens and tools like Account Intel, mailbox search, keyword monitoring, and viewer links to examine compromised inboxes.

A browser extension called ForgCookie reportedly refreshes Microsoft single sign-on cookies, enabling attackers to maintain browser-based access after the victim has authenticated. Researchers have linked Forg365 activity to Microsoft Entra device-code events, Microsoft Graph access, and suspicious device registrations. Notably, some newly registered devices used names beginning with “Forg365,” serving as potential detection indicators.

Investigations have identified campaign-linked infrastructure hosted in Kyiv, Ukraine, and traffic from a Comcast/Xfinity address during device-code activity. The emergence of Forg365 underscores the evolving sophistication of phishing attacks, highlighting the need for organizations to implement robust security measures, including multi-factor authentication, user education, and advanced threat detection systems to safeguard against such threats.