Mastodon Mastodon Mastodon Mastodon

Inside the Forg365 phishing-as-a-service platform for Microsoft 365

Photo of author

CyberSecureFox Editorial Team

Published:

Researchers from ZeroBAC have disclosed details of a new phishing-as-a-service (PhaaS) platform called Forg365, which targets Microsoft 365 accounts. Distributed via Telegram on a subscription basis at $400 per month, the platform brings together several advanced techniques in a single operator interface: device code phishing, adversary-in-the-middle (AitM) session interception, anti-bot evasion, AI-generated phishing lures, and automated actions in compromised mailboxes. Organizations using Microsoft 365 should immediately assess their exposure to device code phishing and review their conditional access policies.

Platform architecture and attack chain

According to the researchers, Forg365 is a mature operator platform with a management panel accessible over the open internet (domain logfriend[.]com). The panel provides operators with a full toolset: account management, OAuth application configuration, SVG element generation, SMTP profile rotation, AI-based creation of phishing emails, token storage, monitoring of compromised accounts by keywords, and browser extension support.

The attack chain starts with phishing emails themed around business documents or payment approvals. Legitimate infrastructure is used for delivery — Amazon SES as the sending domain and Twilio SendGrid for hosting images and tracking resources in the email body. This setup allows phishing messages to blend into normal email traffic and slip past secure email gateways (SEGs).

Device code phishing: legitimate Microsoft screens in service of attackers

One of Forg365’s key techniques is the device code authentication flow. The platform reportedly displays to the victim a verification code entry page styled as Microsoft and then sends the user into the legitimate authentication flow via Microsoft Authentication Broker. The victim sees genuine Microsoft authentication screens, but the entered code authorizes a session controlled by the attacker. This makes the attack extremely difficult for users to detect — all visual elements are authentic.

AitM phishing with adaptive behavior

For AitM-style session interception, the platform uses routing tokens, session cookies, and traffic classification to determine whether to show the visitor phishing content or a harmless decoy page. When a VPN connection is detected, the system redirects to neutral content, hiding phishing pages from researchers and automated scanners.

ForgCookie: persistent access via a browser extension

Special attention is warranted by the ForgCookie extension for Chromium-based browsers (Google Chrome, Microsoft Edge, Brave). According to ZeroBAC, the extension provides “automatic SSO cookie refresh for Microsoft services” and operates as follows:

  • Requests account data from the Forg365 back end
  • Contacts the cookie generation endpoint for the selected account
  • Clears existing Microsoft session cookies
  • Injects a generated cookie with a refresh token into the Microsoft authorization domain
  • Initiates a hidden OAuth flow
  • Intercepts resulting Microsoft cookies across all Microsoft domains

In effect, ForgCookie turns a one-time token compromise into a persistent access channel to the compromised account, automatically refreshing the session without repeat phishing.

Post-exploitation with AI elements

Forg365’s functionality goes beyond harvesting credentials and tokens. The platform reportedly supports monitoring of compromised mailboxes by specified keywords and generating replies to specific email threads using AI. This means attackers can automate business email compromise (BEC) — one of the most financially destructive forms of cyber fraud.

PhaaS ecosystem: Forg365 in the context of phishing industrialization

ZeroBAC describes Forg365 as part of a broader ecosystem that includes the Kali365 platform (also known as Octopi365 and Freedom365) and Sneaky 2FA. This ecosystem reflects the industrialization of phishing: lure creation, delivery, evasion, token handling, and post-exploitation are bundled into a subscription model available to operators without deep technical expertise.

Alongside the Forg365 disclosure, researchers have observed a number of related campaigns:

  • Kali365 — according to Huntress, the platform supports more than 33 different lures and includes the OctoLink Live desktop app for opening a victim’s mailbox via OWA, OneDrive, SharePoint or admin.microsoft.com, as well as the OctoLink Sender tool for mass phishing from compromised accounts (lateral phishing). According to Arctic Wolf, Kali365 phishing pages also impersonate the Russian messenger MAX.
  • EvilTokens — a device code phishing campaign that exploits legacy email aliases. The redirect chain runs through a Mailjet tracking link, a compromised WordPress site, a CAPTCHA interstitial, and a host on Cloudflare Workers — three intermediate infrastructure nodes between the email and the phishing kit itself.
  • The Quarry — a PhaaS platform priced from $500 to $3,000 which, according to SOCRadar, uses lures impersonating IRS, SSA, Adobe, Microsoft, DocuSign, and Dropbox to deliver legitimate remote access software ConnectWise ScreenConnect.
  • Nyasher and GPPStormframeworks for compromising Google accounts through fake workflows and phishing pages that use blob URLs instead of standard HTML documents.

Impact assessment

The primary risk group is organizations using Microsoft 365, especially those where device code authentication is allowed and legacy email aliases from previous domains are still in place (for example, after mergers and acquisitions). Forg365’s subscription model lowers the barrier to entry for attackers: less experienced operators rely on ready-made templates, while more advanced ones customize landing pages, rotate infrastructure, and manage tokens.

It is important to note that most claims about Forg365’s capabilities are based on a report from a single research source (ZeroBAC) and are not corroborated by official guidance from Microsoft or government agencies. The actual scale of the platform’s impact has not yet been established.

Practical recommendations

  • Block device code authentication (device code flow) in Azure AD/Entra ID conditional access policies if this feature is not required for business processes
  • Review mailbox artifacts following device code authentication events for signs of unusual activity — creation of forwarding rules, bulk reading of emails, message sending
  • Audit mail-flow rules for unauthorized redirects
  • Retire legacy email aliases that no longer correspond to active employees — especially those left over from pre-merger or pre-acquisition domains
  • Monitor OAuth applications registered in the tenant for suspicious permissions and unknown publishers
  • Check browser extensions on employee workstations — the presence of ForgCookie or similar extensions interacting with Microsoft domains requires immediate response

Forg365 illustrates the shift in the PhaaS ecosystem from simple password collection to a full compromise lifecycle: from delivering phishing via legitimate infrastructure to automated access persistence and AI-assisted email hijacking. The top priorities for defenders are disabling device code flow in Azure AD/Entra ID and auditing legacy email aliases, which create SEG-invisible paths for phishing delivery into corporate mailboxes.


CyberSecureFox Editorial Team

The CyberSecureFox Editorial Team covers cybersecurity news, vulnerabilities, malware campaigns, ransomware activity, AI security, cloud security, and vendor security advisories. Articles are prepared using official advisories, CVE/NVD data, CISA alerts, vendor publications, and public research reports. Content is reviewed before publication and updated when new information becomes available.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.