Forg365 Phishing Platform Bundles AI-Generated Lures, Token Vaulting, and Browser Persistence into One Dashboard

Security researchers at ZeroBEC have identified a new phishing-as-a-service (PhaaS) platform called Forg365 that combines AI-assisted email lure generation, adversary-in-the-middle (AiTM) attacks, device-code phishing, and a dedicated browser extension for persistent Microsoft 365 account access. The platform is distributed via Telegram with a 5-day free trial, $400 monthly access, and $3,800 annual subscriptions, according to ZeroBEC’s report published July 9.

Forg365 runs as a full operator workflow: campaign creation, AI-generated email content, SMTP profile rotation, token vaulting, compromised mailbox monitoring with keyword alerts, and a Manifest V3 browser extension called ForgCookie that silently refreshes Microsoft SSO cookies to maintain persistent access to compromised accounts, as BleepingComputer reported.

How the Platform Works

The attack chain starts with phishing emails crafted to mimic business documents. ZeroBEC observed sender domains using Amazon SES delivery with SendGrid-hosted tracking resources, a combination designed to blend malicious messages into legitimate enterprise email traffic.

From the operator dashboard, Forg365 supports two parallel phishing methods. The device-code branch presents a Microsoft-styled verification code page and triggers the legitimate Microsoft Authentication Broker flow, exploiting what Microsoft classifies as a high-risk authentication method. The AiTM branch uses route tokens, session cookies, and traffic classification to serve phishing content to targets while returning benign decoy pages to security scanners.

The AI integration is built directly into the panel. Operators generate custom phishing lures, refine message text, and launch campaigns from the same interface they use to manage stolen tokens and monitor compromised mailboxes. As ZeroBEC noted, “AI reduces the cost of developing custom phishing content, but it also reduces the cost of building custom PhaaS platforms.”

The Persistence Layer

Once credentials are captured, ForgCookie takes over. The browser extension, compatible with Chrome, Edge, and Brave, requests account data from the Forg365 backend, clears existing session cookies, and triggers a silent OAuth flow to capture fresh Microsoft SSO cookies. This gives operators continuous access to compromised Microsoft services without re-authentication.

The platform also includes an account intelligence dashboard and keyword monitoring that scans compromised mailboxes for predefined terms, alerting operators when matches appear. This turns compromised accounts into ongoing intelligence-gathering operations rather than one-time credential theft.

A Kali365-Class Operation

ZeroBEC classifies Forg365 as a Kali365-class platform, referencing the FBI IC3 public service announcement that described Kali365 as a Telegram-distributed PhaaS capturing Microsoft 365 OAuth tokens. The researchers could not establish a direct connection between Forg365 and Kali365 or Sneaky2FA, but noted significant tradecraft overlap: Telegram distribution, Microsoft 365 identity abuse, AiTM routing, device-code authorization, and Cloudflare-hosted landing pages.

Microsoft Defender research has separately described AI-enabled device-code campaigns as an escalation from static phishing toward automated infrastructure, confirming the broader trend Forg365 represents.

The Agent Security Angle

The infrastructure Forg365 targets, Microsoft 365 identity and OAuth tokens, is the same infrastructure that enterprise AI agents rely on for email access, calendar integration, and document retrieval. Any organization deploying agents with Microsoft 365 permissions faces a compounded risk: a compromised OAuth token does not just give an attacker access to a human’s mailbox, it gives them access to every action the agent is authorized to perform through that identity.

CISA’s Microsoft Entra ID guidance recommends blocking device-code authentication where possible. For organizations running AI agents with email and identity access, that recommendation is now a minimum baseline, not an optional hardening step.