Forg365 PhaaS Escalates Microsoft 365 Account Takeover Risks
A new subscription-based phishing service leverages device code theft and AI to bypass traditional security defenses.
Industrialized Phishing Architectures
The landscape of credential theft continues to evolve with the emergence of Forg365, a phishing-as-a-service platform that provides even novice attackers with a comprehensive toolkit for compromising Microsoft 365 accounts. Operating through Telegram, this service integrates advanced tactics such as adversary-in-the-middle session theft, device code exploitation, and artificial intelligence-assisted content generation to bypass standard security filters.
The panel exposes a mature operator workflow: accounts, links, invitations, OAuth app configuration, redirect links, SVG generation, campaign sending, SMTP profiles, SMTP rotation, AI email generation, token vaulting, account intelligence, keyword alerts, viewer links, and browser-extension support, ZeroBAC said.
Mechanics of the Bypass
By utilizing legitimate infrastructure providers like Amazon SES and Twilio SendGrid, Forg365 hides malicious traffic within trusted email flows. Once a target interacts with a lure, the system employs sophisticated device-auth phishing techniques. As ZeroBAC explained,
Forg365 includes a device-auth phishing branch that presents a Microsoft-styled verification code page and pushes the victim into a legitimate Microsoft Authentication Broker sign-in flow. The victim sees real Microsoft authentication surfaces, but the code authorizes an attacker-controlled session.
Automated Post-Compromise Persistence
Forg365 extends its utility far beyond initial credential harvesting by automating the maintenance of access. The platform features ForgCookie, a specialized extension for Chromium-based browsers that enables the automatic refreshing of session cookies. This allows threat actors to maintain long-term access, monitor email threads for sensitive keywords, and even draft responses using built-in AI capabilities to remain undetected within a compromised mailbox.
- $400 per month subscription fee for the service.
- $3,800 annual cost for full platform access.
- Over 33 different lures supported by the associated Kali65 phishing kit.
- $500 to $3,000 price range for the The Quarry PhaaS kit.
Strategic Defensive Considerations
The rise of these integrated platforms shifts the risk profile for organizations, as threat actors no longer require deep technical expertise to execute complex identity attacks. Defensive teams should prioritize auditing mail-flow rules and reviewing mailbox artifacts following any device code authentication events. Furthermore, decommissioning legacy email aliases is essential, as attackers frequently exploit these forgotten identities to bypass security gateways and land directly in active inboxes. Organizations must remain vigilant, as the combination of AI and industrialized session-theft tools makes distinguishing legitimate correspondence from sophisticated phishing attempts increasingly difficult.