Skip to main content
Emerging Threats

Forg365 Phishing Service Targets Microsoft 365 with Advanced Device Code Theft

Person working on laptop with smartphone nearby in a casual setting.

"The panel exposes a mature operator workflow: accounts, links, invitations, OAuth app configuration, redirect links, SVG generation, campaign sending, SMTP profiles, SMTP rotation, AI email generation, token vaulting, account intelligence, keyword alerts, viewer links, and browser-extension support," ZeroBAC said.

How Forg365 is sold and delivered

Forg365 is a subscription-based phishing-as-a-service (PhaaS) operation distributed via Telegram and offered at $400 a month or $3,800 per year. Customers who complete Telegram registration receive access to an operator panel on the clearnet ("logfriend[.]com/login") from which they can generate lures, configure campaigns, and manage captured tokens. The kit mixes legitimate email delivery infrastructure—Amazon Simple Email Service (Amazon SES) for sender domains and Twilio SendGrid-hosted images or tracking resources in message bodies—with a redirection chain that blends into normal corporate email traffic before resolving to Forg365-controlled domains.

Device code phishing and AitM session theft

Forg365 combines a device-auth phishing branch with adversary-in-the-middle (AitM) techniques. The device-auth flow "presents a Microsoft-styled verification code page and pushes the victim into a legitimate Microsoft Authentication Broker sign-in flow," ZeroBAC explained, adding that the victim "sees real Microsoft authentication surfaces, but the code authorizes an attacker-controlled session." For its AitM phishing, the platform evaluates route tokens, session cookies, and traffic classification to decide whether to serve phishing content or a benign decoy; if a VPN is detected, the kit redirects to innocuous content rather than exposing phishing pages.

ForgCookie extension and post-compromise operations

A notable component of the toolset is a browser extension called ForgCookie for Chromium-based browsers such as Google Chrome, Microsoft Edge, and Brave. ForgCookie is described as an "automatic SSO cookie refresh for Microsoft services" that operates as an intermediary between token acquisition and browser access. The extension's sequence is explicit in the documentation: it requests account data from the Forg365 backend, calls a cookie-generation endpoint, clears Microsoft session cookies, injects a generated refresh-token credential cookie into the Microsoft login domain, triggers a silent OAuth flow, and captures resulting Microsoft cookies across Microsoft domains.

Beyond credential and token harvesting, Forg365 supports post-compromise activity: monitoring compromised mailboxes for keywords and using AI to draft message responses. ZeroBAC summarized the platform's effect: "The result is a platform that lowers the skill threshold while increasing operational consistency."

How Forg365 fits into an industrialized PhaaS ecosystem

ZeroBAC situates Forg365 alongside other commercialized kits such as Kali365 (aka Octopi365 and Freedom365) and the Sneaky 2FA ecosystem, saying the model now unifies lure creation, delivery, evasion, token/session handling, and post-compromise operations under subscription access. The disclosure lists multiple related campaigns and toolsets that demonstrate the breadth of the market: Kali365 supports over 33 lures and offers a desktop application (OctoLink Live / Kali365 Live) that abuses stolen tokens to open victim mailboxes in OWA, OneDrive, SharePoint, or admin.microsoft.com, plus OctoLink Sender to propagate phishing through breached accounts. Other named kits and campaigns include EvilTokens, Nyasher, GPPStorm, and The Quarry (priced between $500 and $3,000 and attributed to an operator called RockyBelling).

Arctic Wolf flagged targeted attempts that impersonate Russia's MAX messenger as an example of geographic targeting. Censys described SMS-based campaigns impersonating USPS and UPS that stream victims' card data keystroke-by-keystroke to a backend, run BIN lookups, and push routing decisions back to the victim's browser in real time.

What this means for technologists, enterprise defenders, and end users

  • Technologists and security teams: The report argues for concrete controls—"block device code authentication unless it's required," review mailbox artifacts after device code events, audit mail-flow rules, and decommission legacy aliases. ZeroBAC's findings include an explicit case where a still-resolvable historical identity and active forwarding from a pre-acquisition namespace allowed phishing mail to reach an inbox without visible cues.
  • Procurement and enterprise risk teams: The $400/month (or $3,800/year) price point and an accessible operator panel indicate a lower barrier to entry for less-skilled affiliates; organizations should weigh this commoditization when prioritizing anti-phishing investments and mailbox monitoring capabilities.
  • End users and IT administrators: Lures observed include business document-themed and remittance approval emails; defenders should be alert to messages that use legitimate third-party senders or old forwarding relationships to reach an inbox.

Forg365 is the latest example of a commercialized phishing stack that ties delivery, evasion, token handling, and long-term account access into a single subscription product. The platform's combination of device-code redirection, AitM session theft, and an SSO-cookie-refresh extension forces a concrete choice for defenders: restrict risky authentication flows and scrutinize mailbox artifacts, or accept that industrialized phishing can convert a single click into sustained access.

Read the original report