Researchers reported that Forg365, a phishing-as-a-service platform marketed through Telegram, is targeting Microsoft 365 and other Microsoft accounts with a mix of adversary-in-the-middle phishing, device-code phishing, session theft, and post-compromise mailbox access. The service includes an operator panel with AI-assisted lure generation, impersonation templates for Microsoft services, SMTP rotation, campaign scheduling, token storage, and mailbox keyword monitoring, giving attackers an end-to-end workflow for credential theft and account takeover.
Investigators said Forg365 can capture authentication tokens, browser cookies, and session data, while a companion browser extension, ForgCookie, refreshes Microsoft single sign-on cookies to preserve access without repeated reauthentication. Observed infrastructure included Amazon SES for email delivery, SendGrid-hosted resources, Cloudflare Pages landing pages, and Gophish components, alongside anti-analysis measures such as bot detection, debugger traps, sandbox checks, encrypted redirectors, and VPN-based benign redirection. Defenders were urged to restrict device-code authentication where possible, monitor Microsoft Entra logs, OAuth and Microsoft Graph activity, suspicious device registrations, and rapidly revoke sessions, refresh tokens, and OAuth access after suspected compromise.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
Researchers at ZeroBEC described Forg365 as a phishing-as-a-service operation targeting Microsoft 365 accounts using device-code phishing and adversary-in-the-middle techniques. The report also detailed AI-assisted lure generation, post-compromise token and mailbox access features, and the ForgCookie browser extension used to maintain access.
Arctic Wolf reported that in early April 2026, organizations across North America and EMEA were targeted in a large-scale Microsoft OAuth device code phishing campaign linked to the Kali365 Live phishing-as-a-service platform. The report detailed related infrastructure, token theft leading to Microsoft 365 access, and post-compromise actions including malicious inbox rules and additional device registrations for persistence.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
6 references tracked. Mallory keeps watching after this page renders.
thehackernews.com
Open sourcecyberaccord.com
Open sourcecybersecuritynews.com
Open sourcebleepingcomputer.com
Open sourcezerobec.com
Open sourcearcticwolf.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.