Forg365: A $400-a-Month Kit That Hijacks Microsoft 365 Logins
A new subscription phishing service uses device codes, session theft and AI-written lures to break into corporate email accounts.

Key points
- Forg365 is a new phishing-as-a-service operation that targets Microsoft 365 accounts, meaning the email, calendar and file service most companies run on.
- Customers rent the kit through Telegram for $400 a month or $3,800 a year.
- It combines device code phishing, session hijacking, bot-detection dodges and AI-generated lures in a single package.
- Once inside, the operators run mailbox rules and other follow-up actions to keep access and steal more data.
A new criminal service called Forg365 is renting out a ready-made kit for breaking into Microsoft 365 accounts. It costs $400 a month, or $3,800 for a year, and is sold through Telegram, the messaging app criminals often use as a shopfront.
The operation was detailed by The Hacker News. It fits a growing pattern: professional-looking crime kits that let low-skill buyers run attacks that used to require real expertise.
What is Forg365 actually doing?
It is stealing live logins to company email. The kit bundles several tricks that work together to get a victim to hand over access, then keep it.
The first trick is called device code phishing. Microsoft has a legitimate feature where a device with no keyboard (think a smart TV or a conference room screen) shows a short code, and you type that code into microsoft.com on your phone to log the device in. Criminals abuse this by sending a target a real Microsoft code and a plausible reason to enter it. The victim types it into the genuine Microsoft site, and in doing so authorises the attacker's device. No fake login page is needed.
The second trick is adversary-in-the-middle, or AitM. Here the attacker sits between the victim and the real Microsoft login page, silently relaying everything. When the victim finishes signing in, including any multi-factor code from an app or text message, the attacker copies the resulting session token. That token is the digital wristband that proves you are already logged in. With it, the attacker walks straight into the account, MFA and all.
Forg365 also includes antibot filters, which block security scanners and researchers from seeing the phishing pages, so the pages stay online longer. And it uses AI to write the lure emails, meaning the bait messages read more naturally and are harder to spot as fake.
What happens after the login is stolen?
The kit does not stop at the front door. It supports post-compromise mailbox operations. In plain terms, once the criminals are in, they read email, set up hidden forwarding rules, delete traces, and use the account to phish colleagues, customers and suppliers from a trusted address.
That is how a single stolen login becomes invoice fraud, wire transfer fraud or a wider breach of the company.
Should ordinary staff be worried?
Yes, in a practical way. Two things matter for anyone with a work Microsoft 365 account.
First, never type a Microsoft device code that you did not personally start. If a colleague, a helpdesk ticket, a Teams message or an email asks you to "just enter this short code to verify," stop. That is the exact shape of a device code phishing attack.
Second, treat MFA prompts as valuable. If you get a login approval request you did not trigger, deny it and tell your IT team. An AitM attack only succeeds if you complete the sign-in the attacker started.
For IT teams, the usual defences apply and matter more than usual here. Block or restrict the device code flow where it is not needed. Use phishing-resistant sign-in methods such as FIDO2 security keys or Windows Hello, which do not hand over a reusable token. Monitor for suspicious mailbox rules and new sign-ins from unfamiliar locations. And review Conditional Access policies so tokens stolen from one device cannot be replayed from another.
Forg365 is not a clever new bug. It is a business. That is what makes it dangerous.



