Last updated: July 10, 2026 at 9:23 AM UTC
All 586 Vulnerability 210 Breach 110 Threat 259 Defense 7
Tag: forg365 (1 article)Clear

Forg365 phishing service uses AI to steal Microsoft 365 accounts and stay in

A new phishing-as-a-service platform called Forg365 is built to steal Microsoft 365 accounts, combining adversary-in-the-middle and device-code phishing with AI-generated lures created directly in its control panel. Researchers at ZeroBEC found the panel lets operators build campaigns, configure malicious OAuth apps, generate and refine phishing emails with AI, and monitor compromised mailboxes for keywords, all in one place. It also ships a browser extension that silently refreshes session cookies through an OAuth flow, giving attackers ongoing access without re-authenticating. The operators deliver lures posing as business documents, using legitimate email-sending infrastructure to slip past filters. The researchers note AI is lowering the cost of both writing phishing content and building phishing platforms.

Check
Hunt for adversary-in-the-middle and device-code phishing against Microsoft 365, review OAuth app consents and unexpected browser extensions, and check for mailbox rules or session tokens giving attackers persistent access.
Affected
Microsoft 365 users targeted by business-document lures; Forg365 captures session tokens to bypass multi-factor authentication and uses a browser extension to keep access alive even after passwords or sessions are reset.
Fix
Enforce phishing-resistant methods like passkeys, apply Conditional Access to limit device-code and token sign-ins, review and restrict OAuth app consents and browser extensions, and monitor for anomalous token use.