Attack Methods and Technical Capabilities
A new phishing-as-a-service (PhaaS) platform named Forg365 is actively targeting Microsoft 365 accounts using a combination of sophisticated techniques. The platform supports both adversary-in-the-middle (AiTM) phishing and device-code phishing, allowing attackers to bypass multi-factor authentication. In the device-code approach, victims are tricked into authorizing an attacker-controlled device through a legitimate Microsoft OAuth 2.0 device code flow, which is designed for devices with limited input capabilities like smart TVs or IoT appliances. For AiTM attacks, the platform uses a proxy to intercept authentication requests and capture session cookies between the user and Microsoft’s servers.
Integrated AI and Persistent Access Features
Forg365 distinguishes itself by integrating AI-assisted content generation directly into its administration dashboard. Operators can create, refine, and deploy custom phishing emails from the same interface used to manage post-compromise activities. The platform also includes an account intelligence dashboard and a keyword monitoring feature that alerts operators when specific terms appear in compromised mailboxes. A custom browser extension called ForgCookie provides persistent access to Microsoft services by automatically refreshing Single Sign-On (SSO) cookies without requiring re-authentication. To evade detection and analysis, the platform uses AES-encrypted redirectors, bot detection, debugger traps, sandbox checks, and polymorphic code. It also redirects VPN users to benign content instead of exposing phishing pages.
Source: BleepingComputer
