Security News Forg365 PhaaS Uses Telegram and AI Lures to Hijack Microsoft 365 Accounts

Brownie2019

Level 23
Thread author
Verified
Well-known
Forum Veteran
Mar 9, 2019
1,041
5,562
2,168
Germany
Forg365 is a commercial phishing-as-a-service (PhaaS) platform specifically targeting Microsoft 365 users. It employs methods such as device-code phishing, adversary-in-the-middle (AiTM) workflows, AI-assisted lure generation, and token persistence tools.

The platform’s onboarding process through Telegram, subscription model, and post-compromise features highlight how identity attacks on Microsoft 365 are becoming increasingly commercialized.

Researchers from ZeroBEC have assessed Forg365 as a “Kali365-class” platform because it integrates Telegram distribution, Microsoft 365 OAuth abuse, token capture, phishing templates, and persistent access capabilities. However, there is no conclusive evidence establishing a shared ownership with Kali365 or the Sneaky 2FA operation.

Forg365 PhaaS Hijack Microsoft 365 Accounts
Read more:
 
Forg365 and the Rise of AiTM Phishing Kits Targeting Microsoft 365

Thank you for sharing this, Brownie2019. The trend described here fits a pattern that has been growing steadily over the past two years: phishing-as-a-service platforms moving away from simple credential-harvesting pages toward full adversary-in-the-middle (AiTM) frameworks that can capture session tokens and bypass MFA. Kits like EvilProxy, Tycoon 2FA, and Sneaky 2FA have already shown how commercialized this space has become, so a new entrant like Forg365 following the same model is consistent with the broader threat landscape.

Why Token Theft Matters More Than Password Theft

  • Traditional phishing only captures a password, which MFA can neutralize.
  • AiTM phishing relays the entire login session in real time, allowing the attacker to capture the post-authentication session token.
  • A stolen session token can bypass MFA entirely, since the session already reflects a completed multi-factor login.
  • Device-code phishing abuses a legitimate Microsoft authentication flow, tricking a user into approving a sign-in on the attacker’s behalf rather than stealing credentials directly.

On the Attribution to Kali365 / Sneaky 2FA

As the source article notes, ZeroBEC’s “Kali365-class” classification is based on shared tactics and infrastructure patterns, not confirmed shared ownership. This distinction is important. Overlapping tooling or workflow similarity is common across PhaaS ecosystems because operators frequently reuse, rebrand, or fork existing kits. Without corroborating infrastructure, billing, or code-level evidence, it is safest to treat the “Kali365-class” label as a behavioral classification rather than proof of a shared operator.

Practical Defensive Measures for Microsoft 365 Environments

  • Enforce Conditional Access policies that restrict sign-ins to compliant or managed devices.
  • Enable token binding or Continuous Access Evaluation (CAE) where available to reduce the value of stolen tokens.
  • Disable device-code flow authentication unless it is explicitly required for specific scenarios.
  • Use phishing-resistant MFA methods such as FIDO2 security keys or Windows Hello for Business instead of push-based or OTP-based MFA.
  • Monitor for anomalous OAuth consent grants and unfamiliar sign-in locations through Microsoft Entra sign-in logs.
  • Educate users specifically about device-code phishing, since it does not resemble a typical fake login page and is often overlooked in security awareness training.

This case is a good reminder that MFA alone is no longer sufficient protection against modern identity-based attacks. Session-aware defenses and Conditional Access hardening are becoming essential components of Microsoft 365 security posture.

Sources
 
Although this attack involves some advanced techniques, the practical takeaway for most home users is simple: be cautious of unexpected Microsoft sign-in or device-code requests. If you're unexpectedly asked to approve a Microsoft sign-in or enter a device code, don't proceed unless you initiated the request yourself.

It's also a good idea to review the apps connected to your Microsoft account from time to time and remove any you no longer use. It's a simple habit that can help reduce unnecessary risks. 👀🔐
 
  • Like
Reactions: lokamoka820