Forg365, a phishing-as-a-service operation distributed via Telegram, targets Microsoft 365 accounts using a multi-layered attack chain that combines device code phishing with adversary-in-the-middle session theft. The service costs $400 monthly or $3,800 annually, making it accessible to a broad range of threat actors.
The attack methodology employs device code phishing as the initial vector. Rather than directing victims to fake login pages, attackers use legitimate Microsoft device code flows, which present less visual red flags to security-conscious users. Once credentials are captured, Forg365 operators deploy AitM proxies to intercept and steal active session tokens. This dual approach bypasses password-based defenses and session-based MFA protections simultaneously.
The operation incorporates antibot detection evasion to bypass automated defenses, ensuring phishing landing pages remain operational longer. Forg365 also leverages AI tools to generate convincing lure messages and social engineering content, reducing manual effort required from operators and improving phishing success rates.
Post-compromise operations extend beyond initial access. Threat actors abuse compromised mailboxes for further internal reconnaissance, data exfiltration, and lateral movement within target organizations. This transforms account takeover into persistent infrastructure for organizational compromise.
The threat targets both enterprises and individuals using Microsoft 365. Organizations face data exfiltration risks, business email compromise, and potential ransomware deployment. Individuals lose access to personal accounts and become vectors for social engineering attacks against their contacts.
Defenders should implement conditional access policies requiring passwordless sign-in, enforce hardware-backed MFA that resists phishing, and monitor for anomalous mailbox access patterns and forwarding rules. Organizations should monitor for device code authentication requests from unusual locations and disable legacy authentication protocols that PhaaS operators historically exploit.
Forg
