New Forg365 PhaaS Platform and Fake Passkey Attacks Target Microsoft 365 Accounts
A new phishing-as-a-service platform called Forg365 uses AI to generate lures and steal Microsoft 365 accounts, while a separate extortion crew tricks employees into giving up access via fake passkey enrollment calls.
Two distinct threats are taking aim at Microsoft 365 accounts this week: a new phishing-as-a-service platform that weaponizes AI and device-code attacks, and an extortion crew that tricks employees into enrolling fake passkeys via phone calls. Both methods bypass traditional passwords and target the authentication layer itself.
Researchers at ZeroBEC identified the PhaaS operation, called Forg365, which combines adversary-in-the-middle (AiTM) and device-code phishing with an AI-powered email generation tool built directly into its command panel. The platform also supplies a browser extension named ForgCookie that automatically refreshes Microsoft SSO cookies, giving attackers persistent access to compromised accounts without re-authentication.
Forg365's two attack paths
Forg365 supports two primary techniques for stealing accounts. In the device-code variant, victims are shown a Microsoft-style verification code page and tricked into authorizing an attacker-controlled device through Microsoft's legitimate OAuth 2.0 device code flow, a method designed for devices that lack a full browser. The AiTM path uses a proxy to intercept session cookies during a standard login.
- AI-assisted email generation: the dashboard lets operators craft phishing lures, refine text, and manage post-compromise activity from a single interface.
- Persistent access via ForgCookie: the browser extension silently triggers OAuth flows to capture fresh session cookies, compatible with Chrome, Edge, and Brave.
- Infrastructure reuse: the platform relies on Amazon SES for email delivery, Cloudflare Pages for landing pages, and Gophish for campaign management.
- Anti-analysis features: AES-encrypted redirectors, bot detection, debugger traps, sandbox checks, and VPN redirection block researchers from inspecting the admin panel.
Fake passkey enrollment targets enterprise users
Separately, a cyber extortion group known as Pink is targeting Microsoft 365 accounts through vishing calls. Attackers pose as IT staff and instruct the target to visit a subdomain and complete a fake Entra passkey setup. The entire exchange is scripted to keep the victim occupied while the attacker finalizes account takeover in the background, according to a report from Help Net Security. The group is known for data theft and extortion demands.
Security teams are advised to restrict or disable Microsoft device-code authentication unless explicitly required, monitor Entra logs for unexpected device-code events, and establish clear processes for verifying IT support calls that request authentication changes. The combination of AI-generated phishing and voice-based social engineering means that no single defense is sufficient; organizations need both technical controls and user awareness training.
Fact check
-
Forg365 uses adversary-in-the-middle and device-code phishing methods to steal Microsoft 365 accounts.
verified · source
-
Forg365 includes an AI-assisted email generation feature integrated into its dashboard.
verified · source
-
Forg365 provides a browser extension called ForgCookie to maintain persistent access.
verified · source
-
The Pink cyber extortion crew uses vishing calls to trick employees into fake Entra passkey enrollment.
reported · source
Source reporting (2)
Join the conversation
You need to be registered and logged in to comment on blog articles.
0 Comments
No comments yet
Be the first to share your thoughts on this article.