"AI reduces the cost of developing custom phishing content, but it also reduces the cost of building custom PhaaS platforms," ZeroBEC researchers wrote, summarizing what they found inside a new service that aims to turn Microsoft 365 accounts into easy targets.
What Forg365 is and how it operates
Forg365 is a phishing-as-a-service (PhaaS) platform designed to steal Microsoft 365 accounts, combining adversary‑in‑the‑middle (AiTM) and device‑code techniques with integrated AI-assisted lure generation, according to researchers at ZeroBEC. The operation presents itself as a mature PhaaS offering: its dashboard lets operators create phishing campaigns, manage phishing links, configure OAuth apps and SMTP profiles, manage tokens, and generate message content with on‑panel AI assistance.
Two attack paths: device‑code phishing and AiTM proxying
ZeroBEC reports Forg365 supports two primary routes into accounts. In the device‑code path, victims are shown a Microsoft‑style verification code page and instructed to authenticate using Microsoft's device‑code flow (the OAuth 2.0 device code method intended for devices with limited input). Victims are tricked into authorizing an attacker‑controlled "device," granting access without the attacker ever learning a password.
The AiTM method uses a proxy to relay authentication traffic between Microsoft and the target account, capturing session cookies during the exchange. Both vectors aim to obtain tokens or cookies that permit access to Microsoft services without needing direct credential theft.
Tools for persistence: ForgCookie browser extension and token management
Forg365 operators are provided a browser extension called ForgCookie that works with Google Chrome, Microsoft Edge, and Brave. ZeroBEC describes the extension as automatically refreshing Microsoft SSO cookies by requesting account data from the Forg365 backend, clearing session cookies, and then triggering a silent OAuth flow to capture fresh cookies. The result is persistent access to the Microsoft services linked to a compromised account without repeated re‑authentication.
The platform also exposes token and cookie management features in its administration panel and an account intelligence dashboard with keyword monitoring that scans compromised mailboxes for predefined terms and alerts operators when matches appear.
Infrastructure, delivery, and anti‑research defenses
ZeroBEC observed that Forg365 mixes legitimate services with malicious infrastructure. "The observed sender domain used Amazon SES delivery, while the message body included SendGrid‑hosted image or tracking resources," the researchers noted, and they also found Cloudflare Pages used for landing pages and Gophish for campaign delivery. This blending of trusted services and phishing components is presented as a signal of an operation built to slip into normal email traffic.
To hinder analysis, Forg365 employs an AntiBot feature with "AES‑encrypted redirectors, bot detection, debugger traps, sandbox checks, and polymorphic code," and the platform will redirect visitors who appear to be using a VPN to innocuous content rather than expose phishing pages.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: ZeroBEC recommends restricting or disabling Microsoft device‑code authentication unless it is specifically required, and monitoring Microsoft Entra logs for device‑code authentication events, mailbox rules, new device sign‑ins, Microsoft Authentication Broker activity, and OAuth grants for unexpected entries. If a compromise is suspected, all tokens and sessions should be revoked and refreshed.
- Procurement and platform owners: The use of Amazon SES, SendGrid resources, Cloudflare Pages and Gophish in combination shows how readily available legitimate services can be woven into phishing infrastructure; procurement teams should consider how vendor services might be abused and require controls on outbound email and hosting usage tied to brand protection and abuse reporting.
- End users and administrators: Because ForgCookie and the token capture techniques provide persistent access without passwords, ordinary signals such as repeated password prompts may be absent; administrators must treat unexpected OAuth grants, silent device‑code approvals, and fresh session cookies as red flags.
ZeroBEC's analysis ties a suite of contemporary tactics—device‑code auth, AiTM proxies, integrated AI lure generation, cookie refresh extensions—into a single packaged service. The study underlines the researchers' point: lowering the cost and complexity of creating convincing, persistent phishing capabilities makes large classes of accounts easier targets. Security teams are urged to monitor authentication telemetry closely and, where necessary, revoke and refresh tokens to remove attacker access.




