Close Menu

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    The Hidden Security Risks of Reduced Summer IT Coverage

    July 9, 2026

    New Forg365 phishing platform uses AI to target Microsoft 365 accounts

    July 9, 2026

    Infosec News Nuggets — July 9, 2026 – AboutDFIR

    July 9, 2026
    Facebook X (Twitter) Instagram
    • Demos
    • Technology
    • Gaming
    • Buy Now
    Facebook X (Twitter) Instagram Pinterest Vimeo
    Canadian Cyber WatchCanadian Cyber Watch
    • Home
    • News
    • Alerts
    • Tips
    • Tools
    • Industry
    • Incidents
    • Events
    • Education
    Subscribe
    Canadian Cyber WatchCanadian Cyber Watch
    Home»News»New Forg365 phishing platform uses AI to target Microsoft 365 accounts
    News

    New Forg365 phishing platform uses AI to target Microsoft 365 accounts

    adminBy adminJuly 9, 2026No Comments4 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email


    New Forg365 phishing platform uses AI to target Microsoft 365 accounts

    A new phishing-as-a-service (PhaaS) operation called Forg365 focuses on stealing Microsoft 365 accounts by combining adversary-in-the-middle (AiTM) and device code methods with AI-assisted lure generation.

    The platform also provides a browser extension for continued access to the Microsoft services linked to the compromised accounts without the need to re-authenticate.

    Researchers at ZeroBEC email security company say that many of the features in Forg365 are present in other infamous PhaaS platforms such as Kali365 and Sneaky2FA, although they could not establish a connection.

    image

    Their investigation began by analyzing phishing emails that posed as business documents, carefully crafted to mimic a trusted service.

    “The observed sender domain used Amazon SES delivery, while the message body included SendGrid-hosted image or tracking resources,” ZeroBEC says in a report today.

    This combination of legitimate services and phishing infrastructure indicates a mature PhaaS operation capable of blending its messages into regular email traffic.

    The platform features device-code phishing, adversary-in-the-Middle (AiTM) phishing, AI-assisted email content generation, token and cookie management, and post-compromise operations.

    Digging deeper, the researchers obtained access to the Forg365 dashboard, which allows creating new phishing campaigns, manage phishing links, configure OAuth apps and SMTP profiles, manage tokens, and generate phishing emails with the help of AI.

    The Forg365 panel
    The Forg365 panel
    Source: ZeroBec

    Although the use of AI in crafting custom phishing lures is not new, the researchers highlight that the feature is directly integrated in Forg365’s panel, allowing the operator to create the malicious emails, prepare the text, and refine the messages from the same dashboard used to control the post-compromise activity.

    According to the researchers, this integration is strategic, as “AI reduces the cost of developing custom phishing content, but it also reduces the cost of building custom PhaaS platforms.”

    AI-assisted email content generation
    AI-assisted email content generation
    Source: ZeroBec

    The panel also includes an account intelligence dashboard and a keyword monitoring feature that scans compromised mailboxes for predefined terms, alerting operators whenever a match is detected.

    Operators are provided a browser extension called ForgCookie that is compatible with Google Chrome, Microsoft Edge, and Brave, and is specifically designed for automatically refreshing Microsoft SSO cookies.

    The extension works by requesting account data from the Forg365 backend, clearing session cookies, and triggering a silent OAuth flow to capture the fresh cookies.

    This provides the attacker with persistent access to the Microsoft services associated with the victim’s account.

    The ForgCookie extension
    The ForgCookie extension
    Source: ZeroBec

    According to ZeroBEC, Forg365 supports two primary attack paths: the trending device-code phishing and the more traditional AiTM phishing.

    In the first case, victims are shown a Microsoft-style verification code page and instructed to complete authentication using Microsoft’s device-code flow designed for any endpoint with input constraints (e.g. smartTV, IoT appliances, tools without a browser).

    Rather than targeting the victim’s password directly, the victim is tricked into authorizing an attacker-controlled gadget through the legitimate OAuth 2.0 device code flow authentication method.

    The device-code phishing method
    The device-code phishing method
    Source: ZeroBec

    For AiTM phishing, the platform uses a proxy for the authentication requests and data exchanged between the Microsoft infrastructure and the target account, capturing session cookies in the process.

    To prevent researchers from accessing the administration panel, Forg365 has an AntiBot feature that boasts “AES-encrypted redirectors, bot detection, debugger traps, sandbox checks, and polymorphic code.”

    Additionally, when a VPN connection is detected, the platform redirects to innocuous content instead of exposing the phishing pages.

    ZeroBec reports that the platform leverages Amazon SES for phishing email delivery and Cloudflare Pages for the landing pages. Also, the Gophish infrastructure is used for campaign delivery.

    Users are recommended to restrict or disable Microsoft device-code authentication unless required and to monitor Microsoft Entra logs for device-code authentication events.

    Mailbox rules, new device sign-ins, Microsoft Authentication Broker activity, and OAuth grants must also be investigated for unexpected entries.

    If a compromise is suspected, all tokens and sessions must be revoked and refreshed as soon as possible.


    article image

    Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

    The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

    Get the whitepaper



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleInfosec News Nuggets — July 9, 2026 – AboutDFIR
    Next Article The Hidden Security Risks of Reduced Summer IT Coverage
    admin
    • Website

    Related Posts

    News

    The Hidden Security Risks of Reduced Summer IT Coverage

    July 9, 2026
    News

    Infosec News Nuggets — July 9, 2026 – AboutDFIR

    July 9, 2026
    News

    Cyber Essentials Pathways: from proof of concept to cyber confidence

    July 9, 2026
    Add A Comment

    Comments are closed.

    Demo
    Top Posts

    Catchy & Intriguing

    March 17, 202677 Views

    The Canadian Password Playbook: Navigating Compliance and Building Strong Passwords

    March 25, 202634 Views

    IP Address Investigations and Local OSINT

    March 20, 202633 Views
    Stay In Touch
    • Facebook
    • YouTube
    • TikTok
    • WhatsApp
    • Twitter
    • Instagram
    Latest Reviews
    85
    Featured

    Pico 4 Review: Should You Actually Buy One Instead Of Quest 2?

    January 15, 2021 Featured
    8.1
    Uncategorized

    A Review of the Venus Optics Argus 18mm f/0.95 MFT APO Lens

    January 15, 2021 Uncategorized
    8.9
    Editor's Picks

    DJI Avata Review: Immersive FPV Flying For Drone Enthusiasts

    January 15, 2021 Editor's Picks

    Subscribe to Updates

    Get the latest tech news from FooBar about tech, design and biz.

    Demo
    Most Popular

    Catchy & Intriguing

    March 17, 202677 Views

    The Canadian Password Playbook: Navigating Compliance and Building Strong Passwords

    March 25, 202634 Views

    IP Address Investigations and Local OSINT

    March 20, 202633 Views
    Our Picks

    The Hidden Security Risks of Reduced Summer IT Coverage

    July 9, 2026

    New Forg365 phishing platform uses AI to target Microsoft 365 accounts

    July 9, 2026

    Infosec News Nuggets — July 9, 2026 – AboutDFIR

    July 9, 2026

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Facebook X (Twitter) Instagram Pinterest
    • Home
    • Technology
    • Gaming
    • Phones
    • Buy Now
    © 2026 ThemeSphere. Designed by ThemeSphere.

    Type above and press Enter to search. Press Esc to cancel.