Forg365 Sells Ready-Made Microsoft 365 Hijacking Kits on Telegram for $400 a Month
A new phishing service hands criminals automated tools to break into Microsoft 365 accounts and stay there, even after a victim changes their password.

Key points
- Forg365 is a subscription phishing service, sold through the messaging app Telegram, priced at $400 per month or $3,800 per year as of mid-2025.
- The service uses AI to generate convincing fake emails and can steal access tokens that remain valid even after a password reset.
- Security researchers at ZeroBEC found compromised devices during their investigation with names beginning "Forg365," giving companies a concrete clue to look for.
- Blocking device-code authentication in Microsoft Entra ID (Microsoft's identity platform) can cut off one of the two main attack paths the service uses.
- Deploying phishing-resistant login methods, such as FIDO2 passkeys (physical security keys or biometric logins that cannot be faked by a fake website), closes the other path.
Criminals do not need to be technically skilled to hijack a corporate email account anymore. Forg365, a phishing-as-a-service platform documented this month by security company ZeroBEC, sells everything a would-be attacker needs in one subscription, including fake email templates, an automated management panel, and tools for keeping access alive long after the victim notices something is wrong.
Phishing-as-a-service is not new. What is new is how much Forg365 automates. The service uses artificial intelligence to write convincing fake emails, impersonating familiar business tools such as DocuSign, Adobe Acrobat Sign, SharePoint, and OneDrive. Buyers get a control panel to manage stolen credentials and monitor hijacked inboxes. First reported in detail by CSO Online, the platform even offered a five-day free trial.
How does Forg365 actually break into an account?
The attack starts with a fake business email, often pretending to be a document approval request. The link inside leads the victim through several redirects before landing on one of two traps.
The first is a device-code attack. Here, the victim is shown what looks like a genuine Microsoft login screen and asked to type in a short code. That code, though, secretly authorises a login session that the attacker controls. Because real Microsoft infrastructure is involved, the request looks legitimate.
The second method is an adversary-in-the-middle attack, where the service quietly relays the victim's real login between them and Microsoft, capturing a session token (a kind of digital pass that proves you already logged in, so the system does not ask again) along the way.
Smart victims who hover over links, or automated security scanners, get redirected to a harmless decoy page, hiding the attack from defenders.
Here is the uncomfortable part. Resetting a stolen account's password may not help. A browser extension called ForgCookie lets attackers silently refresh their stolen session using the captured token. The attacker stays inside even after the lock is changed.
For anyone who uses Microsoft 365 at work: if you receive an unexpected email asking you to approve a document and enter a short numeric code anywhere outside your normal login flow, stop and call your IT team before typing anything.
Organisations that do not need device-code authentication should disable it inside Microsoft Entra ID. IT teams recovering from a Forg365 intrusion should revoke all active refresh tokens, end open sessions, audit every device registered during the suspected compromise window, and check mailbox forwarding rules for unauthorised changes. Any device whose name starts with "Forg365" is a red flag worth investigating immediately.



