New Forg365 phishing platform uses AI to target Microsoft 365 accounts

Applications of AI


New Forg365 phishing platform uses AI to target Microsoft 365 accounts

A new phishing-as-a-service (PhaaS) operation called Forg365 focuses on stealing Microsoft 365 accounts by combining man-in-the-middle attacks (AiTM) and device code techniques with AI-assisted lure generation.

The platform also provides a browser extension for continued access to Microsoft services linked to compromised accounts without the need for re-authentication.

Researchers from email security firm ZeroBEC said that many of Forg365’s features are also present on other notorious PhaaS platforms, such as Kali365 and Sneaky2FA, but they were unable to establish a connection.

image

Their investigation began by analyzing phishing emails disguised as business documents carefully crafted to imitate trusted services.

“The observed sender domains were using Amazon SES delivery, but the message body included images or tracking resources hosted by SendGrid,” ZeroBEC said in today’s report.

This combination of legitimate services and phishing infrastructure represents a mature PhaaS operation where messages can be mixed in with regular email traffic.

The platform features device code phishing, man-in-the-middle (AiTM) phishing, AI-assisted email content generation, token and cookie management, and post-breach operations.

Upon further investigation, the researchers gained access to the Forg365 dashboard. This allows you to create new phishing campaigns, manage phishing links, configure OAuth apps and SMTP profiles, manage tokens, and generate AI-powered phishing emails.

Forg365 Panel
Forg365 Panel
Source: Zerobeck

While the use of AI in creating custom phishing lures is not new, the researchers highlight that this functionality is integrated directly into Forg365’s panels, allowing operators to craft malicious emails, prepare text, and tailor messages from the same dashboard they used to control post-breach activity.

According to the researchers, this integration is strategic because “AI not only reduces the cost of developing custom phishing content, but also reduces the cost of building a custom PhaaS platform.”

AI-powered email content generation
AI-powered email content generation
Source: Zerobeck

This panel also includes an account intelligence dashboard and a keyword monitoring feature that scans compromised mailboxes for predefined terms and alerts operators whenever a match is detected.

Operators are provided with a browser extension called ForgCookie that is compatible with Google Chrome, Microsoft Edge, and Brave and specifically designed to automatically update Microsoft SSO cookies.

This extension works by requesting account data from the Forg365 backend, clearing session cookies, and triggering a silent OAuth flow to capture new cookies.

This gives the attacker permanent access to Microsoft services associated with the victim’s account.

ForgCookie extension
ForgCookie extension
Source: Zerobeck

According to ZeroBEC, Forg365 supports two main attack paths: trending device code phishing and more traditional AiTM phishing.

In the first case, the victim is presented with a Microsoft-style verification code page and instructed to complete authentication using Microsoft’s device code flow, which is designed for input-constrained endpoints (such as smart TVs, IoT appliances, and browser-less tools).

Rather than directly targeting the victim’s password, the victim is tricked into authorizing the attacker-controlled gadget through a legitimate OAuth 2.0 device code flow authentication method.

Device code phishing techniques
Device code phishing techniques
Source: Zerobeck

In the case of AiTM phishing, the platform uses proxies for authentication requests and data exchanged between Microsoft infrastructure and the target account, capturing session cookies in the process.

To prevent researchers from accessing the admin panel, Forg365 has an AntiBot feature that boasts an “AES encryption redirector, bot detection, debugger traps, sandbox checks, and polymorphic code.”

Additionally, when a VPN connection is detected, the platform redirects you to harmless content instead of exposing a phishing page.

ZeroBec reports that the platform uses Amazon SES to deliver phishing emails and Cloudflare Pages for landing pages. The Gophish infrastructure is also used for campaign delivery.

We recommend that users limit or disable Microsoft Device Code Authentication unless necessary and monitor the Microsoft Entra logs for Device Code Authentication events.

Mailbox rules, new device sign-ins, Microsoft authentication broker activity, and OAuth permissions should also be investigated for unexpected entries.

If a breach is suspected, all tokens and sessions should be revoked and refreshed as soon as possible.

Article image

Security teams document 54% of successful attacks and issue a warning on only 14%. The rest moves invisibly through the environment.

Picus’ whitepaper shows how to test your SIEM and EDR rules in breach and attack simulations to ensure threats go undetected.

Get the white paper



Source link