ProBackend
active vulnerability exploitation
1 hour ago6 min read

Forg365: How AI Is Turning Microsoft 365 Phishing Into a Self-Sustaining Threat

Forg365 isn't just another phishing tool—it's a platform that automates credential theft, maintains persistent access, and adapts to defenses using AI. Here's how it works, and why it's scarier than anything we've seen before.

The AI That Doesn’t Need to Break In

Forg365 doesn’t hack your password.

It doesn’t even need it.

Instead, it tricks you into handing over your identity like a birthday gift.

This isn’t phishing as we knew it.

It’s phishing as a service—AI-powered, self-sustaining, and terrifyingly efficient.

Researchers at ZeroBEC found the platform’s dashboard after stumbling onto a phishing campaign that looked suspiciously clean: emails that didn’t smell like spam, but like legitimate business correspondence. The sender domain? Amazon SES. The tracking images? Hosted on SendGrid. Two of the most trusted email delivery services on the planet.

That’s not an accident.

That’s strategy.

Forg365 doesn’t try to bypass security.

It bypasses suspicion.

And it does it with AI.

The platform’s built-in language model generates phishing emails that mirror the tone, structure, and even the typos of real corporate comms. No more "URGENT: YOUR ACCOUNT WILL BE SUSPENDED!" nonsense. Instead, you get a message from "IT Support" asking you to verify your device because "a new login was detected from a new location." The language is calm. Professional. Human.

And you click.

Because you trust.

The AI doesn’t just write the email.

It writes the context.

It knows what your company’s last email looked like.

It knows what your CEO’s name is.

It knows what your department’s Slack channel is called.

And it uses all of it to make you feel safe.

That’s the real innovation.

Not the tech.

The psychology.

This isn’t a tool.

It’s a mirror.

And it’s showing you exactly what you want to see.

The AI That Doesn’t Need to Break In

Device Code Phishing: The Quiet Takeover

Here’s the kicker.

Even if you have MFA enabled, Forg365 doesn’t care.

It doesn’t need your password.

It doesn’t need your phone.

It just needs you to believe you’re logging in.

That’s where device code phishing comes in.

You get an email. You click. You’re taken to a page that looks exactly like Microsoft’s official login screen.

But instead of asking for your password, it asks you to enter a six-digit code.

"Enter this code on your device to complete sign-in."

It’s not a trick.

It’s Microsoft’s own device code flow.

Used legitimately for smart TVs, printers, IoT devices.

Forg365 repurposes it for humans.

You go to your phone.

You open the Microsoft Authenticator app.

You see the prompt: "Sign in to Microsoft 365?"

You tap "Yes."

And you just gave them your session.

No password. No 2FA code. No biometrics.

Just trust.

And now they’re in.

The platform doesn’t stop there.

It grabs the OAuth tokens.

It steals your cookies.

And then it deploys something called ForgCookie—a browser extension for Chrome, Edge, and Brave—that silently refreshes your Microsoft login every time it expires.

No more re-authentication.

No more alerts.

Just silent, persistent access.

Your account? Still yours.

Your emails? Still yours.

Your files? Still yours.

But your trust? Gone.

And they’ve got it all.

Device Code Phishing: The Quiet Takeover

The Anti-Bot That Doesn’t Want to Be Found

Forg365 isn’t just good at stealing access.

It’s good at hiding from anyone who tries to find it.

The platform’s backend is protected by what ZeroBEC calls an "AntiBot" system.

AES-encrypted redirectors.

Debugger traps.

Sandbox detection.

Polymorphic code that changes shape every time it’s loaded.

And if you’re on a VPN? You’re redirected to a harmless landing page.

No phishing. No dashboard.

Just a bland, corporate-looking site that says nothing.

It’s not trying to fool you.

It’s trying to fool the researchers.

And it works.

Because most threat hunters don’t have the time—or the patience—to dig through layers of obfuscation.

They’re busy chasing the loud, obvious threats.

Forg365? It’s quiet.

It’s slow.

It doesn’t exfiltrate data in bursts.

It just… lives.

It watches.

It learns.

It waits for the right keyword to trigger.

The dashboard has a built-in monitoring tool that scans compromised mailboxes for terms like "contract," "invoice," "payment," "wire transfer."

When it finds one? It alerts the operator.

And then it waits.

Sometimes for days.

Because the best attacks aren’t the ones that scream.

They’re the ones that whisper.

And when the whisper becomes a request?

That’s when the money moves.

The Infrastructure That Doesn’t Look Like Infrastructure

Forg365 doesn’t run on shady servers.

It runs on Cloudflare Pages.

It sends emails through Amazon SES.

It orchestrates campaigns using Gophish.

These aren’t underground tools.

They’re enterprise-grade.

And that’s the problem.

We’ve spent years building defenses against malware, ransomware, and phishing kits.

We’ve trained AI to flag suspicious domains.

We’ve blocked known bad IPs.

But we never thought to block Cloudflare.

We never thought to block Amazon SES.

We never thought to block Gophish.

Because they’re legitimate.

They’re trusted.

They’re the backbone of the modern web.

Forg365 doesn’t need to hide in the dark.

It just needs to blend in.

And it does.

Every time a security team flags an email from Amazon SES, they see a red flag.

But what if that red flag is real?

What if the email is from Amazon SES?

And what if the phishing page is hosted on Cloudflare?

Then the system says: "Everything looks normal."

And the attacker wins.

This isn’t a flaw in the target.

It’s a flaw in the model.

We built security to stop the bad actors.

But we forgot to stop the good tools from being used badly.

What You Should Do Right Now

If you’re still thinking "This won’t happen to me," you’re already behind.

Forg365 doesn’t care who you are.

It cares whether you’re logged in.

And if you’re using Microsoft 365?

You’re a target.

Here’s what to do:

  1. Disable device code authentication unless you absolutely need it. If you don’t have smart TVs or IoT devices in your environment, turn it off. It’s not worth the risk.

  2. Monitor Microsoft Entra ID logs for device code authentication events. Look for logins from unfamiliar locations, unusual devices, or at odd hours. These aren’t anomalies—they’re red flags.

  3. Check for unexpected OAuth grants. If you see a new app has been granted access to your account? Revoke it. Immediately.

  4. Audit mailbox rules. Attackers often create forwarding rules to send copies of emails to their own inbox. Look for rules you didn’t create.

  5. Review Microsoft Authentication Broker activity. If you see repeated authentication attempts without user interaction? That’s not a glitch. That’s an active session.

  6. Revoke all sessions if you suspect a breach. Not just your password. Not just your MFA. Every single token. Every cookie. Every session.

And then? Reset everything.

Because once Forg365 has your trust, it doesn’t need to break in again.

It just needs to wait.

The Real Threat Isn’t Forg365

The real threat isn’t the platform.

It’s the assumption that we can secure what we can’t see.

We thought AI would help us detect threats.

Instead, it gave attackers the tools to become invisible.

Forg365 isn’t the future.

It’s the present.

And it’s not going away.

Because it doesn’t need to.

It just needs you to keep clicking.

To keep trusting.

To keep believing that if it looks legitimate, it’s safe.

That’s the vulnerability.

Not the code.

Not the server.

Not the AI.

You.

More blogs