ctipilot.ch

Forg365

tool · tool:forg365-phaas

Telegram-distributed, subscription-priced ($400/month) Microsoft 365 phishing-as-a-service platform combining OAuth device-code phishing and adversary-in-the-middle session-cookie theft with an in-panel AI lure-drafting assistant and a companion browser extension (ForgCookie) that silently refreshes stolen Microsoft SSO cookies for post-compromise persistence; assessed by ZeroBEC as a Kali365-class platform with Sneaky2FA-style AiTM overlap, no asserted common ownership (ZeroBEC, 2026-07-09).

Aliases: ForgCookie

Coverage timeline
1
first 2026-07-10 → last 2026-07-10
Peak priority
notable
1 notable
Sources cited
3
3 hosts
Sections touched
1
active-threats
Co-occurring entities
0
no co-occurrence
ATT&CK techniques
4
pinned v19.1 · see below

Hunting pivots

ATT&CK techniques
Affected products
Microsoft 365Microsoft Entra ID

ATT&CK techniques

4 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1566.002Phishing: Spearphishing Link×1

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.

Evidence: 2026-07-10/forg365-m365-phaas-aitm-devicecode-forgcookie · ATT&CK page ↗

Persistence TA0003

T1176Software Extensions×1

Adversaries may abuse software extensions to establish persistent access to victim systems. Software extensions are modular components that enhance or customize the functionality of software applications, including web browsers, Integrated Development Environments (IDEs), and other platforms. Extensions are typically installed via official marketplaces, app stores, or manually loaded by users, and they often inherit the permissions and access levels of the host application.

Evidence: 2026-07-10/forg365-m365-phaas-aitm-devicecode-forgcookie · ATT&CK page ↗

Credential Access TA0006

T1528Steal Application Access Token×1

Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.

Evidence: 2026-07-10/forg365-m365-phaas-aitm-devicecode-forgcookie · ATT&CK page ↗

T1539Steal Web Session Cookie×1

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.

Evidence: 2026-07-10/forg365-m365-phaas-aitm-devicecode-forgcookie · ATT&CK page ↗

Story timeline

  1. 2026-07-10Forg365: a commercial Microsoft 365 phishing-as-a-service kit bundling device-code + AiTM phishing, in-panel AI lure drafting, and a browser extension for SSO-cookie persistence
    active-threatsZeroBEC details Forg365 — a Telegram-sold M365 PhaaS that survives MFA and keeps operator access alive via a ForgCookie browser extension

Where this entity is cited

  • active-threats1

Source distribution

  • bleepingcomputer.com1 (33%)
  • labs.cloudsecurityalliance.org1 (33%)
  • zerobec.com1 (33%)

Entries about Forg365 (1)

2026-07-10 · view entry permalink →

NOTABLENATOB2

Forg365: a commercial Microsoft 365 phishing-as-a-service kit bundling device-code + AiTM phishing, in-panel AI lure drafting, and a browser extension for SSO-cookie persistence

ZeroBEC's teardown, corroborated by BleepingComputer and a CSA Labs research note, describes Forg365 as a Telegram-distributed, subscription-priced (5-day trial, $400/month, $3,800/year) Microsoft 365 phishing-as-a-service platform that packages two independent credential-theft paths behind one operator console (ZeroBEC, 2026-07-09; BleepingComputer, 2026-07-09). The device-authorization branch presents a Microsoft-styled verification-code page and drives the legitimate Microsoft Authentication Broker flow; the adversary-in-the-middle branch classifies inbound traffic to decide whether to serve the phishing page or a benign decoy. Both converge on a valid, MFA-satisfied refresh token or session cookie because the victim completes the genuine Microsoft authentication — as CSA Labs puts it, "multifactor authentication does not stop the attack because the victim, not the attacker, is the one completing the MFA challenge" (CSA Labs, 2026-07-10). Two capabilities stand out beyond the already-covered device-code primitive: an AI lure-drafting assistant embedded directly in the panel alongside SMTP rotation, OAuth-app configuration and token vaulting, and ForgCookie — a Chrome/Edge/Brave extension that silently triggers OAuth flows to refresh the stolen SSO cookie so operator access outlives its normal expiry (ZeroBEC, 2026-07-09). ZeroBEC's Entra telemetry tied observed device-code activity to a residential ISP address, with a campaign-linked backend node later performing Microsoft Graph device-registration calls.

Forg365 is a mature Microsoft 365-focused phishing-as-a-service platform that combines device-auth phishing, AiTM delivery, AntiBot evasion, campaign delivery, session persistence, AI-assisted lure creation, and post-compromise mailbox operations inside a commercial operator ecosystem.

ForgCookie, the browser extension associated with the platform, is designed for Microsoft SSO cookie refresh, browser-based access, and persistent session workflows after compromise.

ZeroBEC 2026-07-09

multifactor authentication does not stop the attack because the victim, not the attacker, is the one completing the MFA challenge

Cloud Security Alliance (CSA Labs) 2026-07-10

Builds on: 2026-07-10/m365-conditional-access-gaps-railway-lshiy-campaigns

threat10 Jul 20:34Zmulti-sourceOpen finding ↗