>samit_hota
Back to advisories
SH-2026-101HighOpen

Forg365 PhaaS Targets Microsoft 365 with Device Code and AitM Session Theft

Samit Hota·
CVE ID
N/A
CVSS Score
N/A
Affected Products
Microsoft 365 tenants, users of Microsoft 365
#news#forg365

Overview

A new and highly sophisticated phishing-as-a-service (PhaaS) operation, dubbed “Forg365,” has emerged, specifically targeting Microsoft 365 tenants. This operation distinguishes itself by combining advanced techniques such as device code phishing and adversary-in-the-middle (AiTM) session theft to compromise user accounts. Forg365 leverages AI-generated content for its lures and employs antibot evasion mechanisms, making its phishing campaigns particularly effective at bypassing security filters and deceiving users. The discovery of Forg365 highlights the continuous evolution of phishing tactics, moving beyond simple credential harvesting to sophisticated session hijacking and post-compromise automation.

Technical Details

Forg365 PhaaS leverages a multi-pronged approach to compromise Microsoft 365 accounts. The core of its operation involves two primary techniques: device code phishing and adversary-in-the-middle (AiTM) session theft. Device code phishing exploits legitimate OAuth 2.0 device authorization flows, typically used by applications on devices without a browser or with limited input capabilities. Attackers present a user with a device code and instruct them to enter it on a legitimate Microsoft login page. When the user complies, the attacker’s application gains access to the user’s account. This method bypasses traditional password entry and can circumvent some forms of MFA.

Complementing this, Forg365 integrates AiTM proxy capabilities. AiTM attacks involve setting up a proxy server between the victim and the legitimate login page. This proxy intercepts communications, including credentials and, critically, session cookies. By stealing session cookies, attackers can bypass even strong forms of MFA, as they gain access to an already authenticated session. The novel aspect of Forg365, as observed by researchers who gained access to its dashboard, is the integrated post-compromise mailbox automation. This feature allows attackers to automatically leverage compromised accounts for further malicious activities, blending standard AiTM tradecraft with operational tooling that many earlier PhaaS kits lacked. The use of AI-generated content for lures and antibot evasion techniques further enhances the effectiveness of these campaigns, helping them slip past automated detection systems.

Real-World Impact

The emergence of Forg365 poses a significant threat to organizations utilizing Microsoft 365. Successful attacks can lead to full account compromise, granting attackers access to sensitive emails, documents, and other cloud resources. With stolen session tokens, attackers can bypass MFA, making it incredibly difficult for users and security teams to detect and prevent unauthorized access. The integrated mailbox automation feature means that compromised accounts can be immediately weaponized for further attacks, such as internal phishing, business email compromise (BEC) schemes, or data exfiltration. The financial impact can be substantial, ranging from direct financial fraud to intellectual property theft and severe reputational damage. Users of Microsoft 365, especially those without phishing-resistant MFA, are at heightened risk.

Threat Landscape

The cybersecurity threat landscape is increasingly characterized by the industrialization of sophisticated attack techniques through PhaaS offerings. Forg365 is a prime example of this trend, making advanced phishing capabilities accessible to a broader range of cybercriminals. Identity-based attacks, which focus on compromising user credentials and sessions rather than exploiting software vulnerabilities, are maturing rapidly. The combination of device code phishing, AiTM, AI-generated content, and integrated post-compromise automation represents a significant leap in phishing sophistication. This evolution necessitates a shift in defensive strategies, moving beyond simple credential protection to focus on robust session security and advanced threat detection. Microsoft 365, being a ubiquitous enterprise platform, remains a high-value target for these types of attacks.

Remediation

Organizations using Microsoft 365 must prioritize implementing phishing-resistant multi-factor authentication (MFA) methods, such as FIDO2 security keys, which are immune to AiTM attacks. Conditional access policies should be configured to restrict access based on device health, location, and other contextual factors. It is critical to enforce strong help desk verification procedures to prevent attackers from social engineering their way into account resets or privilege escalation. Continuous monitoring for session hijacking and anomalous login activity is essential to detect and respond to compromised sessions quickly. Organizations should educate employees about the dangers of device code phishing and the importance of verifying login requests directly through trusted applications rather than external prompts. Regular security awareness training should emphasize recognizing AI-generated phishing lures and the dangers of clicking suspicious links or entering credentials on unverified pages. Implementing robust email filtering and security gateways capable of detecting advanced phishing tactics is also crucial.

Found something similar in your stack?

Let's find out before it becomes an incident.

Book an advisory call