ctipilot.ch
← Back to the live brief
NOTABLENATOB2threat

Forg365: a commercial Microsoft 365 phishing-as-a-service kit bundling device-code + AiTM phishing, in-panel AI lure drafting, and a browser extension for SSO-cookie persistence

discovered 2026-07-10 20:34 UTCrun 2026-07-10T2009Z-intel3 sourcesmulti-source

ZeroBEC's teardown, corroborated by BleepingComputer and a CSA Labs research note, describes Forg365 as a Telegram-distributed, subscription-priced (5-day trial, $400/month, $3,800/year) Microsoft 365 phishing-as-a-service platform that packages two independent credential-theft paths behind one operator console (ZeroBEC, 2026-07-09; BleepingComputer, 2026-07-09). The device-authorization branch presents a Microsoft-styled verification-code page and drives the legitimate Microsoft Authentication Broker flow; the adversary-in-the-middle branch classifies inbound traffic to decide whether to serve the phishing page or a benign decoy. Both converge on a valid, MFA-satisfied refresh token or session cookie because the victim completes the genuine Microsoft authentication — as CSA Labs puts it, "multifactor authentication does not stop the attack because the victim, not the attacker, is the one completing the MFA challenge" (CSA Labs, 2026-07-10). Two capabilities stand out beyond the already-covered device-code primitive: an AI lure-drafting assistant embedded directly in the panel alongside SMTP rotation, OAuth-app configuration and token vaulting, and ForgCookie — a Chrome/Edge/Brave extension that silently triggers OAuth flows to refresh the stolen SSO cookie so operator access outlives its normal expiry (ZeroBEC, 2026-07-09). ZeroBEC's Entra telemetry tied observed device-code activity to a residential ISP address, with a campaign-linked backend node later performing Microsoft Graph device-registration calls.

Forg365 is a mature Microsoft 365-focused phishing-as-a-service platform that combines device-auth phishing, AiTM delivery, AntiBot evasion, campaign delivery, session persistence, AI-assisted lure creation, and post-compromise mailbox operations inside a commercial operator ecosystem.

ForgCookie, the browser extension associated with the platform, is designed for Microsoft SSO cookie refresh, browser-based access, and persistent session workflows after compromise.

ZeroBEC 2026-07-09

multifactor authentication does not stop the attack because the victim, not the attacker, is the one completing the MFA challenge

Cloud Security Alliance (CSA Labs) 2026-07-10

Defender actions

  • Block the OAuth device-authorization flow via Entra Conditional Access (Authentication Flows → Device Code Flow → Block) except where a documented CLI/headless use case requires it — this closes the device-code path Forg365 sells.
  • On any account with suspected compromise, run revokeSignInSessions in Entra ID — a password reset alone does not invalidate a device-code-derived refresh token or an AiTM-stolen session cookie.
  • Hunt managed endpoints for browser extensions exhibiting SSO-cookie-refresh behavior (ForgCookie class), and alert on new OAuth app consent grants or new mailbox forwarding/inbox rules created immediately after a sign-in.

ATT&CK mapping

4 techniques mapped from the cited reporting · MITRE ATT&CK v19.1

Initial Access TA0001
T1566.002Phishing: Spearphishing Link

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.

overlap matrix · ATT&CK page ↗

Persistence TA0003
T1176Software Extensions

Adversaries may abuse software extensions to establish persistent access to victim systems. Software extensions are modular components that enhance or customize the functionality of software applications, including web browsers, Integrated Development Environments (IDEs), and other platforms. Extensions are typically installed via official marketplaces, app stores, or manually loaded by users, and they often inherit the permissions and access levels of the host application.

overlap matrix · ATT&CK page ↗

Credential Access TA0006
T1528Steal Application Access Token

Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.

overlap matrix · ATT&CK page ↗

T1539Steal Web Session Cookie

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.

overlap matrix · ATT&CK page ↗

PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.