Forg365, a new phishing-as-a-service operation, is targeting Microsoft 365 accounts using a sophisticated blend of device code phishing, adversary-in-the-middle tactics, and AI-assisted lures. This service, available for $400 a month or $3,800 annually, leverages legitimate email delivery platforms like Amazon SES and Twilio SendGrid to create phishing campaigns that seamlessly integrate into normal email traffic. The operation is distributed via Telegram, providing users with an operator panel for managing lures, campaigns, and captured tokens.

ZeroBEC, an email security firm, highlights that Forg365's structure is reminiscent of other phishing kits like Kali365 and Sneaky 2FA, demonstrating the growing industrialization of phishing services. These kits allow even those with minimal technical expertise to execute large-scale phishing campaigns efficiently. Forg365 employs business document-themed lures to deceive recipients into clicking malicious links, with the sender domain utilizing Amazon SES for delivery and SendGrid for images and tracking resources.

A notable feature of Forg365 is its device-auth phishing branch, which mimics Microsoft verification processes to trick users into authorizing attacker-controlled sessions. Additionally, the service includes an extension for Chromium-based browsers, enabling continued access to compromised accounts by refreshing session cookies automatically.

Forg365 extends beyond simple credential theft, facilitating post-compromise activities like monitoring for specific keywords in email accounts and drafting responses using AI. This platform lowers the barrier for less experienced attackers while providing advanced features for more adept operators, enhancing operational consistency across campaigns.

To counter the threats posed by Forg365, organizations are advised to disable device code authentication when unnecessary, review mailbox artifacts for unusual activity, audit mail-flow rules, and remove outdated aliases. These steps can help mitigate the risks associated with this advanced phishing service.