News Article · Jul 9, 2026 at 5:49 PM
2 min read 0
Member
New Forg365 PhaaS Platform and Fake Passkey Attacks Target Microsoft 365 Accounts
Security #phishing #vishing #Microsoft 365 #phishing-as-a-service #Device Code phishing #Forg365 #AiTM #Pink extortion group #passkey #Entra #ZeroBEC

New Forg365 PhaaS Platform and Fake Passkey Attacks Target Microsoft 365 Accounts

A new phishing-as-a-service platform called Forg365 uses AI to generate lures and steal Microsoft 365 accounts, while a separate extortion crew tricks employees into giving up access via fake passkey enrollment calls.

Two distinct threats are taking aim at Microsoft 365 accounts this week: a new phishing-as-a-service platform that weaponizes AI and device-code attacks, and an extortion crew that tricks employees into enrolling fake passkeys via phone calls. Both methods bypass traditional passwords and target the authentication layer itself.

Researchers at ZeroBEC identified the PhaaS operation, called Forg365, which combines adversary-in-the-middle (AiTM) and device-code phishing with an AI-powered email generation tool built directly into its command panel. The platform also supplies a browser extension named ForgCookie that automatically refreshes Microsoft SSO cookies, giving attackers persistent access to compromised accounts without re-authentication.

Forg365's two attack paths

Forg365 supports two primary techniques for stealing accounts. In the device-code variant, victims are shown a Microsoft-style verification code page and tricked into authorizing an attacker-controlled device through Microsoft's legitimate OAuth 2.0 device code flow, a method designed for devices that lack a full browser. The AiTM path uses a proxy to intercept session cookies during a standard login.

  • AI-assisted email generation: the dashboard lets operators craft phishing lures, refine text, and manage post-compromise activity from a single interface.
  • Persistent access via ForgCookie: the browser extension silently triggers OAuth flows to capture fresh session cookies, compatible with Chrome, Edge, and Brave.
  • Infrastructure reuse: the platform relies on Amazon SES for email delivery, Cloudflare Pages for landing pages, and Gophish for campaign management.
  • Anti-analysis features: AES-encrypted redirectors, bot detection, debugger traps, sandbox checks, and VPN redirection block researchers from inspecting the admin panel.

Fake passkey enrollment targets enterprise users

Separately, a cyber extortion group known as Pink is targeting Microsoft 365 accounts through vishing calls. Attackers pose as IT staff and instruct the target to visit a subdomain and complete a fake Entra passkey setup. The entire exchange is scripted to keep the victim occupied while the attacker finalizes account takeover in the background, according to a report from Help Net Security. The group is known for data theft and extortion demands.

Security teams are advised to restrict or disable Microsoft device-code authentication unless explicitly required, monitor Entra logs for unexpected device-code events, and establish clear processes for verifying IT support calls that request authentication changes. The combination of AI-generated phishing and voice-based social engineering means that no single defense is sufficient; organizations need both technical controls and user awareness training.

Fact check

  • Forg365 uses adversary-in-the-middle and device-code phishing methods to steal Microsoft 365 accounts.

    verified · source

  • Forg365 includes an AI-assisted email generation feature integrated into its dashboard.

    verified · source

  • Forg365 provides a browser extension called ForgCookie to maintain persistent access.

    verified · source

  • The Pink cyber extortion crew uses vishing calls to trick employees into fake Entra passkey enrollment.

    reported · source

Source reporting (2)

0 Comments

No comments yet

Be the first to share your thoughts on this article.

Join the conversation

You need to be registered and logged in to comment on blog articles.

Who Is Online

In total there are 244 users online: 0 registered, 237 guests and 7 bots.

Most users ever online was 4,502 on 28 Jun 2026, 10:02 am.

Bots: AhrefsBot Applebot Baiduspider Bingbot Other Bot Other Spider PetalBot

Users active in the past 15 minutes. Total registered members: 367