Forg365 is a commercial phishing-as-a-service (PhaaS) platform specifically targeting Microsoft 365 users. It employs methods such as device-code phishing, adversary-in-the-middle (AiTM) workflows, AI-assisted lure generation, and token persistence tools.
The platform’s onboarding process through Telegram, subscription model, and post-compromise features highlight how identity attacks on Microsoft 365 are becoming increasingly commercialized.
Researchers from ZeroBEC have assessed Forg365 as a “Kali365-class” platform because it integrates Telegram distribution, Microsoft 365 OAuth abuse, token capture, phishing templates, and persistent access capabilities. However, there is no conclusive evidence establishing a shared ownership with Kali365 or the Sneaky 2FA operation.
Forg365 PhaaS Hijack Microsoft 365 Accounts
Forg365 is marketed and supported through Telegram, where operators reportedly receive a five-day trial before subscribing for $400 per month or $3,800 annually.
This Software-as-a-Service (SaaS) pricing and support model reflects the expanding commercial ecosystem surrounding Microsoft 365 token-focused phishing platforms.
The FBI has previously warned that the Telegram-distributed Kali365 PhaaS platform enables threat actors to obtain Microsoft 365 access tokens and bypass multi-factor authentication (MFA) without directly stealing credentials.
Microsoft has also documented AI-enhanced device-code phishing campaigns that employ tailored lures and automated infrastructure to compromise user accounts.
The current Forg365 operator panel can be accessed at logfriend[.]com/login. Its features reportedly include campaign links, OAuth application configuration, SMTP settings, AI-generated email content, token management, mailbox intelligence, keyword monitoring, viewer links, and browser-extension support.

Forg365 supports device-code phishing, which exploits Microsoft’s legitimate OAuth device authorization flow. In this method, victims are shown a Microsoft-styled verification code page. They are directed to a legitimate Microsoft authentication interface, where they unknowingly authorize an attacker-controlled session.
Unlike traditional credential phishing, device-code attacks may not require the attackers to capture a password. Once the victim enters the provided code and completes authentication, the attacker can obtain valid access or refresh tokens.
The Cybersecurity and Infrastructure Security Agency (CISA) recommends blocking device code authentication unless there is a specific business need, as threat actors have exploited this method to compromise user accounts via phishing. Microsoft’s reports also indicate that AI can help attackers create more targeted device-code lures at scale.
Forg365 additionally includes an AiTM component that uses session cookies, route tokens, and traffic classification. Researchers have observed benign redirects on VPN-originated traffic, suggesting possible anti-analysis controls designed to prevent security researchers and automated scanners from accessing phishing content.
Persistence Through ForgCookie
A crucial element of Forg365 is ForgCookie, described as an automatic Microsoft Single Sign-On (SSO) cookie refresh tool. This browser extension reportedly targets Microsoft authentication cookies and interacts with the Forg365 backend to generate or refresh browser session materials.
This functionality transforms a successful phishing attempt into a prolonged access operation. Rather than merely collecting credentials, operators can maintain Microsoft 365 access through refresh-token reuse, silent sign-ins, Graph activity, and browser session renewals.
ZeroBEC has also connected campaign activities to Microsoft Entra device-registration events involving device names prefixed with “Forg365-.” These artifacts may serve as valuable high-confidence hunting markers for affected organizations.

Security teams should investigate device-code events as potential entry points for broader mailbox and identity compromises, rather than merely as suspicious user activity.
- Restrict or block device-code flows using Entra Conditional Access where possible.
- Look for deviceCodeFlow in Entra sign-in telemetry, especially when followed by Microsoft Graph access or unfamiliar IP addresses.
- Review Microsoft Authentication Broker events, anomalous non-interactive sign-ins, and new device registrations.
- Investigate suspicious device names, particularly those following the “Forg365-*” pattern.
- Revoke sessions and refresh tokens after any suspected compromise; a simple password reset may not eliminate attacker-held token access.
- Review mailbox rules, forwarding, OAuth grants, deleted items, and unusual Graph activity following device-code authentication.
Interact with Cyber Threats in Windows, Linux, macOS VMs to Trigger Full Attack Chain - Analyse Malware & Phishing with ANY RUN

