Full Report
A new phishing-as-a-service (PhaaS) operation called Forg365 is using a combination of device code phishing, adversary-in-the-middle (AitM) tactics, antibot evasion, artificial intelligence (AI)-assisted lure creation, and post-compromise mailbox operations targeting Microsoft 365 accounts. Distributed via Telegram and costing $400 a month (or $3,800 per year), attack chains leverage phishing
Analysis Summary
# Tool/Technique: Forg365
## Overview
Forg365 is a sophisticated Phishing-as-a-Service (PhaaS) platform specifically designed to target Microsoft 365 environments. It utilizes a subscription-based model via Telegram to provide attackers—ranging from novices to advanced operators—with a comprehensive suite of tools for credential theft, session hijacking, and automated post-compromise actions.
## Technical Details
- **Type:** Phishing-as-a-Service (PhaaS) / Adversary-in-the-Middle (AitM) Kit
- **Platform:** Microsoft 365 (Web, Desktop, and Cloud services)
- **Capabilities:** Device code phishing, AitM proxying, AI-generated lures, automated session refreshing, and mailbox monitoring.
- **First Seen:** Reported July 2026
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link]
- **[TA0006 - Credential Access]**
- [T1557 - Adversary-in-the-Middle]
- [T1528 - Steal Application Access Token]
- **[TA0003 - Persistence]**
- [T1550.004 - Use Alternate Authentication Material: Web Session Cookie]
- **[TA0007 - Discovery]**
- [T1114.002 - Email Collection: Remote Email Services]
## Functionality
### Core Capabilities
- **Adversary-in-the-Middle (AitM):** Proxies the legitimate Microsoft authentication process to intercept session cookies and tokens in real-time.
- **Device Auth Phishing:** Presents a fake Microsoft verification code page to trick users into authorizing an attacker-controlled session via a legitimate Microsoft Authentication Broker flow.
- **Lure Generation:** Integrates AI-assisted tools to create convincing email lures and supports legitimate delivery infrastructure (Amazon SES and Twilio SendGrid) to bypass reputation-based filters.
- **Subscription Management:** A centralized "Operator Panel" for managing links, campaigns, and captured credentials.
### Advanced Features
- **ForgCookie Extension:** A custom Chromium-based browser extension that automates "SSO cookie refreshing." It injects stolen refresh tokens into the browser to maintain persistent, silent access to the victim's account without re-authentication.
- **Evasion Techniques:** Employs antibot measures, traffic classification, and VPN detection to redirect security scanners or researchers to benign decoy content.
- **Post-Compromise Automation:** Features keyword-based mailbox monitoring and AI-powered drafting of email responses within legitimate threads to facilitate lateral movement or BEC (Business Email Compromise).
## Indicators of Compromise
- **File Names:** `ForgCookie` (Browser extension)
- **Network Indicators:**
- `logfriend[.]com` (Operator login portal)
- `forg365[.]com` (Backend/API communications)
- **Behavioral Indicators:**
- Rapid clearing and injection of Microsoft session cookies within Chromium browsers.
- Unusual OAuth application authorizations for unknown or suspicious applications.
- Unexpected traffic redirections to Microsoft authentication endpoints initiated from third-party domains.
## Associated Threat Actors
- Distributed primarily via **Telegram**; utilized by various unnamed affiliates and cybercriminal groups targeting corporate M365 tenants.
## Detection Methods
- **Behavioral Detection:** Monitor for unauthorized "Device Code" authentication requests and unusual login locations (Impossible Travel).
- **Endpoint Monitoring:** Scan for the presence of the `ForgCookie` extension or unauthorized Chromium extensions with permissions to modify cookies on `login.microsoftonline.com`.
- **Email Security:** Track the use of Amazon SES and SendGrid for high-volume redirection chains ending in newly registered or low-reputation domains.
## Mitigation Strategies
- **Enforce Phishing-Resistant MFA:** Transition from standard TOTP or SMS-based MFA to FIDO2-compliant security keys or Microsoft Authenticate with Number Matching to defeat AitM proxying.
- **Conditional Access Policies:** Implement strict policies that require compliant, managed devices for access to sensitive M365 resources.
- **OAuth Governance:** Regularly audit and restrict user consent for third-party applications and monitor for suspicious OAuth token requests.
- **Browser Security:** Use administrative templates to block the installation of unapproved browser extensions.
## Related Tools/Techniques
- **Kali365 (Octopi365/Freedom365):** Similar PhaaS targeting M365.
- **Sneaky 2FA:** A phishing kit known for incorporating "Browser-in-the-Browser" (BitB) and advanced evasion.
- **Evilginx2:** A common AitM framework used for session hijacking.