New PhaaS Platform Forg365 Uses AI and Dual Attack Methods to Target Microsoft 365 Users

The Forg365 phishing platform combines adversary-in-the-middle and device-code attack methods with AI-assisted lure creation and a cookie-stealing browser extension for persistent access.

CSBadmin
2 Min Read

Attack Methods and Technical Capabilities

A new phishing-as-a-service (PhaaS) platform named Forg365 is actively targeting Microsoft 365 accounts using a combination of sophisticated techniques. The platform supports both adversary-in-the-middle (AiTM) phishing and device-code phishing, allowing attackers to bypass multi-factor authentication. In the device-code approach, victims are tricked into authorizing an attacker-controlled device through a legitimate Microsoft OAuth 2.0 device code flow, which is designed for devices with limited input capabilities like smart TVs or IoT appliances. For AiTM attacks, the platform uses a proxy to intercept authentication requests and capture session cookies between the user and Microsoft’s servers.

Integrated AI and Persistent Access Features

Forg365 distinguishes itself by integrating AI-assisted content generation directly into its administration dashboard. Operators can create, refine, and deploy custom phishing emails from the same interface used to manage post-compromise activities. The platform also includes an account intelligence dashboard and a keyword monitoring feature that alerts operators when specific terms appear in compromised mailboxes. A custom browser extension called ForgCookie provides persistent access to Microsoft services by automatically refreshing Single Sign-On (SSO) cookies without requiring re-authentication. To evade detection and analysis, the platform uses AES-encrypted redirectors, bot detection, debugger traps, sandbox checks, and polymorphic code. It also redirects VPN users to benign content instead of exposing phishing pages.

Source: BleepingComputer

CSBadmin

The latest in cybersecurity news and updates.

TAGGED:
Share This Article
Follow:
The latest in cybersecurity news and updates.