Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
12 distinct techniques documented for this family, organized by ATT&CK tactic.
The victim sees real Microsoft authentication surfaces, but the code authorizes an attacker-controlled session.
Forg365 includes a device-auth phishing branch that presents a Microsoft-styled verification code page and pushes the victim into a legitimate Microsoft Authentication Broker sign-in flow. The victim sees real Microsoft authentication surfaces, but the code authorizes an attacker-controlled session. | A new phishing-as-a-service (PhaaS) operation called Forg365 is using a combination of device code phishing, adversary-in-the-middle (AitM) tactics, antibot evasion, artificial intelligence (AI)-assisted lure creation, and post-compromise mailbox operations targeting Microsoft 365 accounts.
The panel also offers SMTP rotation, campaign scheduling, redirect links, encrypted SVG files, and templates impersonating services such as SharePoint, OneDrive, DocuSign, and Adobe Acrobat Sign.
The victim sees real Microsoft authentication surfaces, but the code authorizes an attacker-controlled session.
A notable aspect of the Forg365 platform is that it offers an extension named ForgCookie for Chromium-based browsers... designed for continued access to the compromised accounts... Captures resulting Microsoft cookies across Microsoft domains.
Forg365's extends beyond simple credential and token harvesting to facilitate a wide array of post-compromise actions, including monitoring for specific keywords in compromised email accounts and drafting a message response to a particular email thread using assistance from AI.
To counter these threats, it's recommended to... audit mail-flow rules... The campaign succeeded in reaching the inbox because the recipient organization still maintained an active forwarding relationship from a pre-acquisition namespace into a current mailbox.
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A subscription-based phishing kit/platform targeting Microsoft 365 accounts. It supports device code phishing, AitM phishing, antibot evasion, AI-assisted lure generation, token/session capture and management, and post-compromise mailbox operations. It also includes tooling for persistent access via browser cookie/session handling.
A phishing-as-a-service platform targeting Microsoft 365 accounts. It supports device-code phishing and adversary-in-the-middle phishing, integrates AI-assisted lure generation, manages tokens/cookies, and enables post-compromise access to victim Microsoft services.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.