The Hacker News

Top story

Forg365 PhaaS Targets Microsoft 365 with Device Code and AitM Session Theft

A new phishing-as-a-service (PhaaS) operation called Forg365 is using a combination of device code phishing, adversary-in-the-middle (AitM) tactics, antibot evasion, artificial intelligence (AI)-assisted lure creation, and post-compromise mailbox operations targeting Microsoft 365 accounts. Distributed via Telegram and costing $400 a month (or $3,800 per year), attack chains leverage phishing

Jul 13, 2026, 1:03 PMBy info@thehackernews.com (The Hacker News)4 min readcybersecurity
Forg365 PhaaS Targets Microsoft 365 with Device Code and AitM Session Theft

A new phishing-as-a-service (PhaaS) operation called Forg365 is using a combination of device code phishing , adversary-in-the-middle (AitM) tactics, antibot evasion, artificial intelligence (AI)-assisted lure creation, and post-compromise mailbox operations targeting Microsoft 365 accounts.

Distributed via Telegram and costing $400 a month (or $3,800 per year), attack chains leverage phishing lures that make use of legitimate email delivery infrastructure, such as Amazon Simple Email Service (Amazon SES) and Twilio SendGrid, to imitate a redirection chain that blends into regular email traffic before it ends in Forg365-controlled domains.

"The panel exposes a mature operator workflow: accounts, links, invitations, OAuth app configuration, redirect links, SVG generation, campaign sending, SMTP profiles, SMTP rotation, AI email generation, token vaulting, account intelligence, keyword alerts, viewer links, and browser-extension support," ZeroBEC said .

The email security company said the PhaaS kit is best understood as similar to the Kali365 (aka Octopi365 and Freedom365) and Sneaky 2FA ecosystem, reflecting the industrialization of the business model, which is now combining bringing together lure creation, delivery, evasion, token/session handling, and post-compromise operations under a subscription-based setup that allows even threat actors with little-to-no technical expertise to orchestrate phishing campaigns with minimal effort and at scale.

Attack chains using Forg365 have been observed using business document-themed or remittance approval lures to trick recipients into clicking on malicious links. The sender domain uses Amazon SES for delivery, while the message body contains SendGrid-hosted images or tracking resources.

Customers who successfully complete Telegram registration utilize an operator panel accessible over the clearnet ("logfriend[.] com/login"), from where they can generate lures, set up campaigns, and manage captured tokens.

"Forg365 includes a device-auth phishing branch that presents a Microsoft-styled verification code page and pushes the victim into a legitimate Microsoft Authentication Broker sign-in flow," ZeroBEC explained.

"The victim sees real Microsoft authentication surfaces, but the code authorizes an attacker-controlled session." For AitM phishing, the platform employs route tokens, session cookies, and traffic classification to determine whether to serve phishing content or a benign decoy.

If a VPN connection is detected, the kit redirects to innocuous decoy content instead of exposing the phishing pages.

A notable aspect of the Forg365 platform is that it offers an extension named ForgCookie for Chromium-based browsers like Google Chrome, Microsoft Edge, and Brave that is designed for continued access to the compromised accounts.

Described as an "automatic SSO cookie refresh for Microsoft services," the add-on acts as an intermediary between the token acquisition and browser access by cycling through the steps listed below - Forg365's extends beyond simple credential and token harvesting to facilitate a wide array of post-compromise actions, including monitoring for specific keywords in compromised email accounts and drafting a message response to a particular email thread using assistance from AI.

"The result is a platform that lowers the skill threshold while increasing operational consistency.

Less experienced affiliates can use prebuilt templates, while more capable operators can customize landing pages, rotate infrastructure, manage tokens, generate cookie material, and monitor compromised accounts," ZeroBEC said.

The disclosure coincides with the discovery of various campaigns that have been found to employ phishing kits for credential theft - "The campaign succeeded in reaching the inbox because the recipient organization still maintained an active forwarding relationship from a pre-acquisition namespace into a current mailbox," ZeroBEC noted.

"The attacker used a still-resolvable historical identity to deliver mail that, from the SEG's point of view, looked like normal forwarded correspondence. From the user's point of view, the message landed in their working inbox with no visible cue that it had taken an indirect path."

(The story was updated after publication on July 14, 2026, to correct a spelling error. An earlier version of this article misspelled the name of ZeroBEC.) Learn how to secure AI agents with practical controls for access, visibility, secrets, and risk containment.

Learn how to govern risk, secure AI-built software, and keep control as development moves at machine speed.

Continue with the publisher

Read the original source after the immersive in-app article experience.

Read on source site
Loading...