Published on July 11, 2026
Forg365 Phishing Platform Using AI to Attack Microsoft 365 Accounts
Severity
High
Detail
Cybersecurity researchers have identified Forg365, a sophisticated phishing-as-a-service (PhaaS) platform that targets Microsoft 365 accounts by combining Artificial Intelligence (AI)-generated phishing emails, Device Code phishing, Adversary-in-the-Middle (AiTM) attacks, and post-compromise session management into a single operator platform.
Distributed through Telegram on a subscription basis, Forg365 provides cybercriminals with ready-made phishing templates, email delivery tools, authentication token storage, and AI-powered phishing content generation, significantly lowering the barrier to launching credential theft campaigns. Forg365 focuses on capturing authentication tokens, session cookies, and active login sessions. This enables attackers to bypass traditional password-based protections and maintain unauthorized access even after victims change their passwords.
The platform also incorporates anti-analysis and cloaking techniques that redirect security scanners and VPN users to benign websites, making phishing campaigns more difficult to detect.
How?
The attack begins with attackers creating phishing campaigns using Forg365’s AI-assisted email generator, producing convincing messages such as password reset notifications, invoices, document sharing requests, voicemail alerts, or corporate collaboration invitations.
Forg365 supports two primary attack methods:
- Device Code Phishing – Victims are directed to a legitimate Microsoft device authentication page and instructed to enter an attacker-provided device code. Although the authentication page is genuine, the authorization code links the victim’s authentication session to the attacker’s device, granting unauthorized account access without directly stealing the user’s password.
- Adversary-in-the-Middle (AiTM) Phishing – Victims are redirected to a phishing site positioned between the victim and Microsoft’s legitimate authentication service. After successful authentication, the platform captures session cookies, authentication tokens, and browser session data, allowing attackers to hijack authenticated sessions and bypass Multi-Factor Authentication (MFA).
Following a successful compromise, Forg365 stores stolen authentication tokens within its integrated Token Vault, enabling persistent access to compromised accounts. Additional features allow attackers to search mailbox contents, monitor email activity, access Microsoft Graph resources, and automatically refresh authentication cookies using a browser extension known as ForgCookie, extending access without requiring repeated victim interaction.
Recommendations
Organizations are advised to take the following precautions:
- Restrict or disable Microsoft Device Code authentication where it is not required for business operations.
- Enforce phishing-resistant Multi-Factor Authentication (MFA), such as FIDO2 security keys or passkeys.
- Monitor Microsoft Entra ID logs for unusual Device Code authentication events, suspicious device registrations, Microsoft Graph API activity, and abnormal non-interactive sign-ins.
- Revoke active sessions and refresh tokens immediately after suspected account compromise, as password resets alone may not invalidate stolen session tokens.
- Deploy advanced email security solutions capable of detecting AI-generated phishing emails and credential harvesting attempts.
- Conduct regular phishing awareness training, emphasizing Device Code phishing, AiTM attacks, and AI-generated phishing emails.
Source
https://cybersecuritynews.com/forg365-phishing-attack-microsoft-365-accounts/
