A new phishing-as-a-service (PhaaS) platform named Forg365 has emerged, employing advanced techniques to compromise Microsoft 365 accounts. This service integrates device code phishing, adversary-in-the-middle (AiTM) attacks, AI-driven lure creation, and post-compromise mailbox operations, offering cybercriminals a comprehensive toolkit for orchestrating sophisticated phishing campaigns.
Forg365 is distributed via Telegram, with subscription plans priced at $400 per month or $3,800 annually. Subscribers gain access to an operator panel that facilitates the creation and management of phishing campaigns. This panel includes features such as account management, link generation, OAuth application configuration, SMTP profile setup, AI-assisted email generation, token storage, and browser extension support.
The platform’s phishing campaigns often utilize legitimate email delivery services like Amazon Simple Email Service (SES) and Twilio SendGrid. By leveraging these services, Forg365 can craft phishing emails that closely resemble authentic business communications, thereby increasing the likelihood of deceiving recipients. Common lures include themes related to business documents or remittance approvals, enticing users to click on malicious links.
Advanced Attack Techniques
Forg365 employs multiple sophisticated attack methods to compromise Microsoft 365 accounts:
- Device Code Phishing: Victims are presented with a Microsoft-styled verification code page and prompted to enter a code through a legitimate Microsoft sign-in process. This method exploits Microsoft’s OAuth 2.0 device code flow, allowing attackers to gain access without directly obtaining the victim’s credentials.
- Adversary-in-the-Middle (AiTM) Attacks: The platform uses proxy servers to intercept authentication requests and data exchanged between the victim and Microsoft’s infrastructure. This enables the capture of session cookies, granting attackers unauthorized access to the victim’s account.
To evade detection, Forg365 incorporates anti-bot measures, including AES-encrypted redirectors, bot detection mechanisms, debugger traps, sandbox checks, and polymorphic code. Additionally, if a VPN connection is detected, the platform redirects users to benign content, concealing the phishing attempt.
Persistent Access via Browser Extension
A notable feature of Forg365 is its browser extension named ForgCookie, compatible with Chromium-based browsers such as Google Chrome, Microsoft Edge, and Brave. This extension facilitates continuous access to compromised accounts by automating the injection of authentication cookies, thereby maintaining unauthorized access without the need for re-authentication.
The emergence of Forg365 underscores the increasing sophistication of phishing operations, which now offer comprehensive services that lower the barrier to entry for cybercriminals. Organizations must remain vigilant, implementing robust security measures and educating users about the evolving nature of phishing threats to effectively mitigate these risks.