CyberSecurityBoardThreat Intel · CVEs · Products
Cyber News

Forg365 PhaaS Targets Microsoft 365 with Device Code and AitM Session Theft

July 13, 2026

A new phishing-as-a-service (PhaaS) operation called Forg365 is targeting Microsoft 365 accounts using device code phishing, adversary-in-the-middle (AitM) tactics, antibot evasion, AI-assisted lure creation, and post-compromise mailbox operations. Distributed via Telegram for $400 per month (or $3,800 per year), attack chains leverage legitimate email delivery infrastructure such as Amazon Simple Email Service (Amazon SES) and Twilio SendGrid to blend into regular email traffic before redirecting to Forg365-controlled domains.

According to email security company ZeroBAC, the Forg365 panel exposes a mature operator workflow including accounts, links, invitations, OAuth app configuration, redirect links, SVG generation, campaign sending, SMTP profiles, AI email generation, token vaulting, account intelligence, keyword alerts, viewer links, and browser-extension support. The PhaaS kit is similar to Kali365 (aka Octopi365 and Freedom365) and the Sneaky 2FA ecosystem, reflecting the industrialization of phishing business models.

Forg365 includes a device-auth phishing branch that presents a Microsoft-styled verification code page and pushes victims into a legitimate Microsoft Authentication Broker sign-in flow, authorizing an attacker-controlled session. For AitM phishing, the platform uses route tokens, session cookies, and traffic classification to serve phishing content or benign decoys. If a VPN connection is detected, the kit redirects to innocuous decoy content.

A notable component is the ForgCookie extension for Chromium-based browsers (Google Chrome, Microsoft Edge, Brave) that enables continued access to compromised accounts by automatically refreshing SSO cookies for Microsoft services. The platform also supports post-compromise actions such as monitoring for specific keywords in compromised email accounts and drafting AI-assisted message responses.

ZeroBAC also disclosed various other campaigns using phishing kits for credential theft, including fake Microsoft account activity alerts, Canva-hosted device code phishing flows, Kali365 phishing kits, IRS and Social Security Administration impersonations, SMS-based USPS and UPS phishing, fake bid proposal workflows targeting Google accounts, and GPPStorm campaigns using bogus Google Partners enrollment workflows.

To counter these threats, it is recommended to block device code authentication unless required, review mailbox artifacts after device code events, audit mail-flow rules, and decommission legacy aliases that no longer correspond to active employees.

Malware: Forg365, Kali365, Sneaky 2FA, ForgCookie, EvilTokens, Nyasher, The Quarry, VioletRAT, OctoLink Live, OctoLink Sender, Rocky Gmail Sender, Rocky Email Sorter

Companies: ZeroBAC, Microsoft, Amazon, Twilio, Google, Canva, Cloudflare, Mailjet, Arctic Wolf, Censys, ConnectWise, Adobe

Products: Amazon SES, Twilio SendGrid, Google Chrome, Microsoft Edge, Brave, Microsoft Authentication Broker, ConnectWise ScreenConnect, Cloudflare Workers, OWA, OneDrive, SharePoint, admin.microsoft.com