Forg365 Hijacks Microsoft 365 Sessions via Device-Code Phishing

Amid increasingly common device-code phishing since early 2026, ZeroBEC researchers uncovered Forg365, a Telegram-distributed phishing-as-a-service platform that abuses Microsoft’s legitimate authentication flow and adversary-in-the-middle techniques to hijack Microsoft 365 sessions, steal tokens and cookies, and preserve attacker access without a conventional password grab. The platform matters less as an isolated phishing kit than as evidence that cloud identity attacks have become packaged, supported, and sold like ordinary software. Forg365 turns a subtle OAuth abuse technique into a service with automated delivery, AI-generated lures, credential management, and post-compromise persistence. For Microsoft 365 administrators, the uncomfortable conclusion is that MFA can work exactly as designed while the user still authorizes the wrong session.

Illustration of a hijacked cloud login: MFA phishing tricks a user while an attacker steals tokens and session access.Forg365 Sells Identity Intrusion as a Maintained Service​

ZeroBEC researchers traced Forg365 from a business-document-themed phishing email to an operator panel offering campaign creation, token theft, and persistent Microsoft 365 access. CyberPress reported that the platform is distributed through Telegram, where its operators handle onboarding, technical support, and payment coordination.
The business model is deliberately familiar. Researchers observed a five-day free trial, monthly access priced at $400, and an annual subscription priced at $3,800. Those terms position Forg365 not as a bundle of abandoned scripts passed around between criminals, but as a maintained commercial service seeking repeat customers.
That distinction changes the economics of the attack. A disposable phishing kit generally leaves its buyer to configure domains, compose messages, manage captured data, and troubleshoot failures. Forg365 instead attempts to consolidate those tasks behind a panel hosted primarily at logfriend[.]com, reducing the number of technical decisions an affiliate must make before launching a campaign.
The panel includes OAuth application configuration, SMTP rotation, AI-assisted email generation, and a Token Vault used to organize stolen credentials. The operator is not merely purchasing a fake Microsoft login page; the operator is renting an identity-attack workflow covering preparation, delivery, interception, persistence, and management of compromised accounts.
As BleepingComputer’s coverage emphasized, the AI component is integrated into the same interface used to configure campaigns and control stolen sessions. That is more consequential than attaching a chatbot to a phishing operation for marketing purposes. It lets operators draft and refine business-themed lures without leaving the panel, collapsing content production and technical execution into a single workspace.
The practical advantage is speed. An affiliate can rotate sending infrastructure, generate a plausible message, choose an attack branch, and manage the resulting access from one service. The platform operator can improve that workflow centrally, while customers benefit without understanding how the underlying authentication abuse works.
This is the real meaning of phishing-as-a-service. The innovation is not necessarily a new vulnerability or a previously unknown authentication weakness. It is the conversion of existing techniques into a repeatable product that gives less-skilled operators access to methods previously requiring greater knowledge of OAuth, proxies, tokens, cookies, and Microsoft Entra.

The Password Is No Longer the Center of the Attack​

Traditional phishing teaches users to fear a counterfeit password form. Forg365’s device-auth branch turns that lesson sideways by sending the victim toward a legitimate Microsoft authentication surface instead.
The victim is shown a Microsoft-styled verification code and directed into the legitimate Microsoft Authentication Broker flow. The attacker has already initiated an authentication attempt, and the victim is induced to complete it by entering the supplied code and signing in.
The user may see the expected Microsoft domain, familiar branding, and a valid authentication process. The password and MFA interaction can occur entirely within Microsoft’s infrastructure. Nothing necessarily has to be typed into an attacker-controlled credential field.
What the victim misunderstands is the purpose of the transaction. The code is not simply proving the victim’s identity to open the business document described in the email. It is binding the victim’s successful authentication to a session initiated and controlled by the attacker.
After the authorization completes, the attacker can receive valid tokens associated with that session. The compromise therefore happens not because Microsoft fails to authenticate the user, but because Microsoft successfully authenticates the user in response to an attacker-initiated request.
That inversion is why device-code phishing is so difficult to address with awareness training alone. Users have spent years being told to verify the address bar, avoid imitation login pages, and use MFA. In this attack path, the verification page can be genuine and MFA can still be completed, yet the result remains an attacker-controlled Microsoft 365 session.
Microsoft’s own documentation classifies device-code flow as a high-risk authentication method. ZeroBEC summarized the problem directly: “Microsoft already classifies device-code flow as a high-risk authentication method precisely because it can be abused in phishing attacks like this one.”
The flow exists for legitimate reasons. It allows a user to authenticate a device or application that cannot conveniently present a full browser or accept normal input. The user completes authentication on another system, while the original device receives tokens through the flow.
That separation between the device requesting access and the device performing authentication is useful for constrained hardware and some command-line or shared-device scenarios. It is also the opening exploited by device-code phishing: an attacker can control the requesting endpoint while persuading the victim to perform the authorization elsewhere.
The Microsoft page cannot determine intent merely from the fact that the user entered a valid code and authenticated successfully. Identity controls must therefore evaluate whether the organization permits the flow, which accounts require it, what application is involved, and whether the resulting device and session make sense.
For defenders, the essential lesson is that successful authentication is not the same as legitimate authorization. Microsoft 365 security programs built mainly around password strength, password rotation, and MFA enrollment are no longer sufficient if users can be manipulated into granting valid sessions through alternative authentication flows.

Two Branches Give Operators a Choice of Trust Failures​

Forg365 supports two attack branches. The device-auth path exploits the user’s trust in Microsoft’s genuine authentication interface, while the adversary-in-the-middle path intercepts authentication data by positioning attacker infrastructure between the victim and the service.
Attack branchVictim experienceCaptured or issued artifactsEvasion or persistence behaviorPrimary defensive focus
Device authenticationVictim receives a Microsoft-styled verification code and enters it through the legitimate Microsoft Authentication Broker flowTokens issued after the victim authorizes the attacker-controlled sessionCan create access without collecting the victim’s password directlyRestrict device-code authentication and review unusual device registrations
Adversary-in-the-middleVictim completes a proxied Microsoft 365 authentication sequenceRoute tokens and session cookiesVPN users can be redirected to a benign decoy page to frustrate analysisInvestigate abnormal sessions, cookie use, routing behavior, and new sign-ins
The two branches are complementary rather than redundant. Device-code phishing is attractive because the most sensitive portion of the interaction can occur on genuine Microsoft infrastructure. AiTM phishing is useful when an operator wants direct interception of session material and greater control over the victim’s web journey.
Forg365’s AiTM branch uses route tokens and session cookies to capture access as authentication traffic passes through attacker-controlled infrastructure. Instead of asking Microsoft to issue tokens to an attacker-initiated device session, the platform proxies the interaction and harvests artifacts from the authenticated exchange.
The platform also reportedly classifies incoming traffic and sends VPN users to an innocuous decoy page. That decision reflects a now-standard tension in commercial phishing operations: every visitor is potentially either a victim or a security researcher.
A real employee is valuable because the operator wants the person to see the phishing workflow. A sandbox, scanner, researcher, or automated browser is dangerous because it may expose the infrastructure, generate indicators, or trigger a takedown. VPN detection is an imperfect filter, but redirecting suspicious traffic can preserve a campaign long enough to reach more targets.
The availability of both branches means an affiliate can select the technique best suited to the target or lure. If the operator believes the victim will follow device-verification instructions, the device-auth route minimizes reliance on a visibly fake login page. If a more conventional web-based lure is likely to work, the AiTM branch offers direct interception.
It also complicates incident response. An organization cannot assume every Forg365 incident will leave the same sign-in pattern or compromise artifacts. A device-code event, a newly registered device, an unusual cookie-backed session, and a proxied login may all point toward the same service while requiring different queries and containment steps.

ForgCookie Makes the Initial Phish Only the Beginning​

Obtaining a token or session cookie is valuable, but cloud identity attacks become far more damaging when the access can be maintained. Forg365 addresses that requirement with a companion browser extension called ForgCookie.
According to ZeroBEC’s findings, ForgCookie refreshes Microsoft single sign-on cookies to preserve access without requiring the attacker to authenticate again. It reportedly replays refresh tokens so that the operator can continue obtaining usable session material.
This persistence model is important because it moves the attacker beyond the short life of a single stolen cookie. If access can be renewed, the operator gains time to inspect the account, monitor activity, use Microsoft Graph, and exploit the trust attached to the compromised identity.
It also weakens one of the most common responses to account compromise: changing the password. A password reset protects against an attacker who must submit the old password again. It does not necessarily terminate every token, browser session, registered device, application grant, or cookie that already represents authenticated access.
ZeroBEC described ForgCookie as capable of maintaining access without reauthentication, effectively surviving a password reset through refresh-token replay. That does not make the compromise permanent or unstoppable, but it means a password reset alone is not containment.
For incident responders, the account must be treated as an identity ecosystem rather than a password record. Existing sessions, tokens, device registrations, OAuth activity, mailbox behavior, and browser-backed access all require attention. Otherwise, the organization may change the secret while leaving the attacker’s authorized session intact.
The existence of ForgCookie also illustrates the growing division of labor inside PhaaS products. The phishing page or device-code lure obtains the initial foothold. A token-management component organizes stolen access, while a browser extension handles the mechanics of replaying or refreshing session artifacts.
This modularity resembles legitimate enterprise tooling because it solves the same operational problem from the opposite direction. Administrators want reliable authentication, session continuity, and manageable devices. Attackers want the same qualities, but attached to identities they do not own.
The result is a platform built not merely to steal an account for a moment, but to operate inside it. A compromised mailbox can reveal invoices, internal discussions, trusted contacts, and the context required for a more convincing second-stage attack. Persistent access gives the operator time to wait for a financially or operationally useful conversation rather than immediately exposing the intrusion.
That patience is particularly dangerous in Microsoft 365 environments because identity is the connective tissue between email, files, collaboration, applications, and administrative services. The value of the account lies not just in reading messages but in inheriting the user’s position inside an organization’s trust graph.

Entra Telemetry Turns Forg365’s Convenience into a Detection Opportunity​

Although Forg365 is built to simplify attacks, productization can make parts of the operation predictable. ZeroBEC linked campaign activity through Microsoft Entra telemetry, observing device-code authorization from a Comcast/Xfinity residential IP address followed by activity from a Forg365 backend in Kyiv, Ukraine.
The backend conducted Microsoft Graph and device registration activity. In compromised tenants, researchers observed Entra-joined devices with names beginning with Forg365-.
These observations offer defenders useful pivots, but none should be interpreted in isolation. Comcast/Xfinity serves an enormous residential population, and an IP address associated with the provider is not inherently malicious. Kyiv is a major city whose infrastructure hosts legitimate users and services as well as attacker systems.
The more meaningful evidence comes from the sequence. A device-code authorization associated with an unexpected residential network, followed by Graph access or device registration from unrelated infrastructure, is more suspicious than either location alone. A newly Entra-joined device bearing an operator-default prefix makes that sequence more concrete.
The Forg365- naming convention is especially revealing because it shows how criminal automation can leak implementation details into a victim tenant. The service appears to create or manage devices using a predictable label, turning an operator convenience into an indicator administrators can hunt.
That indicator should be treated as high value but not exhaustive. Once public reporting draws attention to a naming prefix, a capable platform operator can change it. Affiliates may also customize names, and not every attack branch necessarily produces the same device artifact.
Defenders should therefore hunt for the exact prefix while also looking for its underlying behavior: unexpected Entra device joins, unfamiliar device names, registrations occurring shortly after device-code authentication, and access patterns inconsistent with the user’s normal equipment.
Microsoft’s sign-in data provides another crucial field. ZeroBEC recommends monitoring for originalTransferMethod=deviceCodeFlow, particularly when it appears alongside unusual device registrations.
The word original matters. Microsoft’s guidance explains that a later token refresh or sign-in event can remain associated with a session originally established through device-code flow, even if the current event does not present device code as its immediate authentication protocol. Investigators who search only for direct device-code events may therefore miss downstream activity.
That protocol tracking is useful when reconstructing an incident. A responder can connect a later session to the authentication method that created it rather than treating every token refresh as an independent event. In an attack designed around persistent access, that historical relationship may be the difference between seeing an isolated anomaly and seeing the full compromise chain.
The strongest detections will combine identity, device, network, and application signals. A suspicious original transfer method, a new Entra-joined device, an unfamiliar source, and unexpected Microsoft Graph activity together form a much more persuasive case than a static list of addresses or domains.

Legitimate Cloud Services Help the Phish Resemble Normal Business Traffic​

Forg365’s delivery infrastructure demonstrates why modern phishing cannot be reduced to blocking obviously malicious servers. ZeroBEC found that the operation abused Amazon SES and SendGrid in the email-delivery chain, used Cloudflare for landing-page hosting, and incorporated a Gophish-based sending component.
Each of those technologies has legitimate uses. Amazon SES and SendGrid deliver routine transactional and marketing email. Cloudflare hosts and protects an enormous range of web services. Gophish is used for authorized security assessments as well as malicious campaigns.
That legitimacy is operational cover. Messages delivered through established cloud infrastructure may blend into the constant SaaS traffic received by a modern organization, while hosted landing pages inherit reliable performance and broadly trusted network paths.
The observed business-document theme reinforces the disguise. Employees routinely receive links to contracts, shared files, invoices, proposals, and other external documents. The lure does not have to invent an unusual task; it needs only to insert itself into a familiar business ritual.
Static infrastructure blocking still has value, particularly when a known operator host such as logfriend[.]com is involved. But blocking a broad provider because one customer abused it would cause substantial collateral damage, and attackers can rotate individual accounts, subdomains, and sending configurations.
Detection must therefore concentrate on what the message asks the user to do. A business-document email that unexpectedly supplies a verification code, requests completion of a device sign-in, or creates an unfamiliar Microsoft authorization sequence deserves scrutiny even when the delivery provider and final authentication page are legitimate.
Email controls also need to be linked to identity telemetry. The mail gateway sees the initial lure, while Entra sees the authentication and device events. If those systems remain separate, the organization may classify the email as merely suspicious and the sign-in as merely unusual without recognizing that they are parts of one attack.
Forg365’s use of SMTP rotation makes that correlation still more important. When senders and infrastructure change, the durable characteristic may be the progression from a document lure to device-code authentication and then to an unexpected session or device registration.
The platform is effectively betting that defenders will evaluate each component in isolation. Amazon SES looks like email infrastructure. Cloudflare looks like hosting. Microsoft’s verification page looks genuine. A valid token looks authenticated. Only the assembled sequence reveals the fraud.

Kali365 Shows That Forg365 Is Part of a Market, Not an Exception​

Forg365 arrives in a threat landscape already shaped by comparable services. CyberPress explicitly compared its Telegram distribution and token-theft model with Kali365, another PhaaS platform highlighted by the FBI’s Internet Crime Complaint Center in May 2026.
The FBI’s advisory described Kali365 as a Telegram-distributed kit capable of capturing Microsoft 365 OAuth tokens. Like Forg365, its significance was not limited to a single criminal group or phishing campaign. The platform lowered the barrier for customers who wanted access to an established Microsoft 365 intrusion method.
ZeroBEC also named EvilTokens and Kali365 among PhaaS kits using device-code techniques, which researchers described as increasingly common since early 2026. The recurring features are becoming recognizable: subscription access, Telegram coordination, AI-generated messages, device-code lures, token capture, and persistence inside Microsoft 365.
There is no need to claim these services share operators or code to see the broader development. Their convergence can be explained by market pressure. When one platform demonstrates that a technique works and customers are willing to pay, competing services have an incentive to offer similar features.
The FBI’s involvement in the Kali365 case gives Forg365 additional context. Device-code phishing is no longer an obscure red-team scenario or a technique limited to highly capable espionage operators. It is being advertised and distributed through channels accessible to a much broader criminal customer base.
That changes the risk calculation for midsize businesses, schools, local governments, managed service providers, and other organizations that may not consider themselves likely targets of advanced identity attacks. A buyer does not need to develop the tooling specifically for one victim. The service already exists, and the same infrastructure can be aimed wherever a plausible lure and reachable Microsoft 365 user are available.
The subscription model also encourages volume. A customer paying monthly or annually has an economic incentive to run repeated campaigns and extract as much value as possible from the service period. A five-day trial lowers the cost of experimentation even further.
The annual price of $3,800 offers a discount over twelve separate $400 monthly payments, revealing how the operator imagines its customers behaving. This is a product for recurring use, not merely a one-off fraud attempt.
PhaaS platforms additionally allow specialists to focus on different stages of the criminal economy. The service developer maintains authentication workflows and infrastructure. An affiliate selects targets and sends lures. Other actors may monetize mailbox access, conduct business-email compromise, or exploit stolen information.
Defenders are therefore not confronting one attacker with one skill set. They are confronting a supply chain in which the technical sophistication of the platform can exceed that of the person operating it.

AI Matters Most as an Automation Layer​

Forg365’s AI-generated lures will attract attention because artificial intelligence has become a convenient explanation for every improvement in phishing. The more important point is not that AI can write a convincing email; criminals have long copied genuine business language, templates, and brands.
The material change is integration. AI-assisted email generation sits beside OAuth configuration, SMTP rotation, token management, and attack controls inside the operator panel. It becomes another button in the campaign workflow rather than an external tool requiring separate prompting, editing, and transfer.
That arrangement lowers friction. An affiliate can adapt wording to a business-document theme, refine the tone, and prepare variations while configuring the rest of the campaign. The service can help turn a generic phishing concept into multiple targeted messages without requiring the affiliate to be a skilled writer.
AI may also help platform developers lower their own costs by accelerating interface work, support content, and feature development. ZeroBEC’s assessment is therefore broader than lure quality: artificial intelligence reduces the cost of both producing phishing content and building PhaaS capabilities.
Still, AI is not the mechanism that defeats authentication. The decisive elements remain social engineering, misuse of a legitimate flow, token issuance, cookie interception, and persistent session management.
Overemphasizing AI risks obscuring the controls that matter. An organization cannot solve Forg365 merely by deploying a detector for machine-generated prose. Even a clumsy message can succeed if the user trusts the purported document and follows the code-entry instructions.
The correct framing is that AI makes the operation faster, cheaper, and more accessible. It improves the service’s scalability, but the underlying weakness remains a mismatch between what the user believes is being authorized and what Microsoft Entra is actually authorizing.

Conditional Access Must Treat Device Code as an Exception​

Microsoft recommends blocking device-code flow wherever possible, and the Forg365 findings reinforce that position. The sensible default is not to leave the flow open for every account because a limited number of devices or tools may depend on it.
Some legitimate environments do require device-code authentication. Microsoft Teams devices, constrained-input systems, command-line tools, and certain administrative or development workflows may rely on the flow. A careless tenant-wide block can therefore disrupt real operations.
That is an argument for inventory and narrow exceptions, not for inaction. Administrators should identify which accounts, devices, and applications genuinely require device code, document their owners, and restrict permission to that population.
Microsoft’s guidance recommends beginning in report-only mode when introducing Conditional Access restrictions, particularly where Teams devices may be affected. Administrators can review sign-in data, test required scenarios, and establish tightly scoped exception groups before enforcement.
Broad exclusions defeat the purpose. If an entire department or large user population is exempted because one workflow uses device code, attackers retain a substantial pool of phishable accounts. Exceptions should be tied to genuine operational dependencies and reviewed as those dependencies change.
Organizations should also distinguish between direct device-code use and sessions that originated from device code. Monitoring both the current authentication protocol and the original transfer method gives investigators a better view of initial authorization and subsequent token-backed activity.

Action checklist for admins​

  • Inventory legitimate device-code use before enforcing a block, including Teams devices, command-line tools, and approved administrative workflows.
  • Configure Conditional Access to block or restrict device-code authentication unless it is explicitly required.
  • Test the policy in report-only mode and create narrow, owner-approved exceptions rather than broad user exclusions.
  • Monitor Entra sign-in data for originalTransferMethod=deviceCodeFlow, especially when paired with unfamiliar locations, applications, or device registrations.
  • Hunt for Entra-joined devices whose names begin with Forg365-, then expand the search to all unexpected recent device joins.
  • Investigate Microsoft Graph activity and new device registrations following unusual device-code authorization.
  • If compromise is suspected, revoke active sessions and tokens, review registered devices and OAuth activity, and do not rely on a password reset alone.
  • Correlate suspicious business-document emails with subsequent Entra authentication and device events.
These actions address both prevention and investigation. Conditional Access reduces the exposed surface, while telemetry and device hunting help find sessions established before the control was enforced or through an approved exception.
No indicator should be considered permanent. Operator domains can move, device prefixes can change, and infrastructure can rotate. The defensive goal is to identify the behavior Forg365 automates, not merely the labels it currently leaves behind.

The Most Important Facts for Microsoft 365 Defenders​

Forg365 should be treated as a demonstration of where commercial identity phishing is heading: away from simple password harvesting and toward managed access that combines legitimate authentication, token handling, cookies, devices, and cloud APIs.
  • Forg365 is a Telegram-distributed PhaaS platform with a five-day trial, $400 monthly access, and a $3,800 annual subscription.
  • Its device-auth branch tricks users into authorizing attacker-controlled sessions through Microsoft’s legitimate device-code flow.
  • Its AiTM branch captures route tokens and session cookies, while VPN users can be sent to a decoy page.
  • The ForgCookie extension refreshes Microsoft SSO cookies and replays refresh tokens to preserve access without reauthentication.
  • Defenders should investigate originalTransferMethod=deviceCodeFlow, unusual device registrations, Microsoft Graph activity, and device names beginning with Forg365-.
  • Blocking or tightly restricting device-code authentication through Conditional Access is the strongest direct mitigation when the flow is not operationally required.
The common thread is authorization abuse rather than password theft. A user can authenticate correctly, Microsoft can issue valid tokens correctly, and the resulting session can still belong to an attacker because the user was deceived about what the code represented.
Forg365 is unlikely to be the final service built around that gap. The appearance of Kali365, EvilTokens, and now Forg365 indicates a competitive PhaaS market assembling identity attacks from legitimate cloud components and selling the result to affiliates. Microsoft 365 administrators who continue to treat authentication as a binary choice between a correct password and a stolen one will miss the larger shift: the next wave of phishing is designed to make the victim authorize the attacker, then make that authorization last.

References​

  1. Primary source: cyberpress.org
    Published: Fri, 10 Jul 2026 12:04:19 GMT
  2. Official source: learn.microsoft.com
  3. Official source: microsoft.com
  4. Official source: techcommunity.microsoft.com
  5. Official source: download.microsoft.com
  6. Official source: adoption.microsoft.com
  1. Official source: cdn-dynmedia-1.microsoft.com
  2. Related coverage: techradar.com
  3. Related coverage: itpro.com
  4. Related coverage: bleepingcomputer.com
 

Back
Top