2026-07-10 · view entry permalink →
Forg365: a commercial Microsoft 365 phishing-as-a-service kit bundling device-code + AiTM phishing, in-panel AI lure drafting, and a browser extension for SSO-cookie persistence
ZeroBEC's teardown, corroborated by BleepingComputer and a CSA Labs research note, describes Forg365 as a Telegram-distributed, subscription-priced (5-day trial, $400/month, $3,800/year) Microsoft 365 phishing-as-a-service platform that packages two independent credential-theft paths behind one operator console (ZeroBEC, 2026-07-09; BleepingComputer, 2026-07-09). The device-authorization branch presents a Microsoft-styled verification-code page and drives the legitimate Microsoft Authentication Broker flow; the adversary-in-the-middle branch classifies inbound traffic to decide whether to serve the phishing page or a benign decoy. Both converge on a valid, MFA-satisfied refresh token or session cookie because the victim completes the genuine Microsoft authentication — as CSA Labs puts it, "multifactor authentication does not stop the attack because the victim, not the attacker, is the one completing the MFA challenge" (CSA Labs, 2026-07-10). Two capabilities stand out beyond the already-covered device-code primitive: an AI lure-drafting assistant embedded directly in the panel alongside SMTP rotation, OAuth-app configuration and token vaulting, and ForgCookie — a Chrome/Edge/Brave extension that silently triggers OAuth flows to refresh the stolen SSO cookie so operator access outlives its normal expiry (ZeroBEC, 2026-07-09). ZeroBEC's Entra telemetry tied observed device-code activity to a residential ISP address, with a campaign-linked backend node later performing Microsoft Graph device-registration calls.
Forg365 is a mature Microsoft 365-focused phishing-as-a-service platform that combines device-auth phishing, AiTM delivery, AntiBot evasion, campaign delivery, session persistence, AI-assisted lure creation, and post-compromise mailbox operations inside a commercial operator ecosystem.
ForgCookie, the browser extension associated with the platform, is designed for Microsoft SSO cookie refresh, browser-based access, and persistent session workflows after compromise.
multifactor authentication does not stop the attack because the victim, not the attacker, is the one completing the MFA challenge
Builds on: 2026-07-10/m365-conditional-access-gaps-railway-lshiy-campaigns