Forg365 is a sophisticated phishing-as-a-service platform that has been identified as a threat to Microsoft 365 users. By leveraging AI, Forg365 offers a range of attack methods, including device-code phishing and adversary-in-the-middle (AiTM) phishing. These techniques enable attackers to bypass traditional security measures and gain unauthorized access to user accounts. Distributed through Telegram, Forg365 is accessible via a subscription model that includes a 30-day trial, monthly, or annual payment options. This model reflects the increasing professionalism of phishing operations, allowing cybercriminals to use pre-built templates and tools for launching attacks without needing to create their own infrastructure.

The platform’s device-code phishing method involves presenting victims with a legitimate-looking Microsoft verification page. Victims input a code that grants attackers access to a session controlled by them, thus bypassing password security. The AiTM phishing method places a fake page between the user and Microsoft's authentication services, capturing critical information like session details, authentication tokens, and cookies. Forg365 also employs anti-bot and cloaking techniques, such as redirecting VPN traffic to decoy sites, to avoid detection by security measures.

AI is central to Forg365’s operations, allowing criminals to generate convincing phishing emails and documents directly from the platform. It includes features like SMTP rotation, campaign scheduling, and templates mimicking well-known services. Beyond initial phishing, the platform's Token Vault and Account Intel features enable attackers to exploit compromised accounts further. A browser extension called ForgCookie helps maintain access by refreshing authentication cookies.

Investigators have traced Forg365-related activities to Microsoft Entra device-code events, suspicious device registrations, and infrastructure in Kyiv, Ukraine. Although similar to other Microsoft-focused phishing services like Kali365 and Sneaky FA, there is no conclusive evidence linking these platforms to the same operators. Organizations are advised to limit device-code authentication to only necessary cases and actively monitor Microsoft Entra logs for suspicious activities. Revoking sessions and refreshing tokens after a compromise is essential to remove unauthorized access.