Forg365: the new phishing kit built to hoover up Microsoft 365 logins
A fresh phishing-as-a-service operation uses AI to write the bait and a browser extension to keep the door open long after the theft.

Key points
- Researchers at ZeroBEC disclosed a new phishing-as-a-service platform called Forg365 that targets Microsoft 365 accounts.
- Forg365 bundles AI-written phishing emails, two account-stealing techniques, and a browser extension that keeps stolen access alive.
- The kit sends emails through Amazon SES and hosts fake login pages on Cloudflare Pages to look legitimate.
- ZeroBEC recommends disabling Microsoft's device-code sign-in unless it is genuinely needed.
There is a new criminal service on the market, and it is aimed squarely at your work email.
It is called Forg365. Security researchers at ZeroBEC, an email security company, say it is a phishing-as-a-service platform, meaning a ready-made toolkit that lets less skilled criminals run professional-grade attacks by the month, the way anyone else might rent software.
Its target: Microsoft 365 accounts, the everyday Outlook, Teams and SharePoint logins used by most offices.
The operation was first reported by BleepingComputer, and the details are worth understanding because the tactics are unusually polished.
How does the scam actually work?
It starts with an email that looks like a normal business document, often an invoice or a shared file. The email is written or refined by an AI assistant baked directly into the criminal's control panel, so the grammar is clean and the tone matches a real company.
The emails are sent through Amazon SES, a legitimate Amazon email service, and the pictures inside them load from SendGrid, another mainstream marketing tool. That mix helps the messages sail past spam filters.
Click the link, and you land on a fake Microsoft sign-in page hosted on Cloudflare Pages. From there, Forg365 does one of two things.
The first is called adversary-in-the-middle phishing, where the fake page quietly passes your username, password and even your two-factor code to the real Microsoft site while stealing the session cookie, the small file your browser uses to prove you are logged in. The criminals then load that cookie into their own browser and walk in as you.
The second, newer trick is device-code phishing. Microsoft has a legitimate sign-in flow for gadgets that cannot show a proper login screen, things like smart TVs or office printers. Forg365 abuses it by showing victims a real Microsoft code page and nudging them to type in a code that actually authorises the attacker's device, not their own.
What makes this one different?
Two things stand out.
One is the AI. Custom phishing emails used to take effort. Now the operator writes a prompt inside the same dashboard they use to launch the attack, and the lure appears seconds later.
As ZeroBEC put it, AI cuts the cost of writing phishing content, and it also cuts the cost of building phishing platforms in the first place.
The other is a browser extension called ForgCookie, which works in Chrome, Edge and Brave. Once the criminals have stolen your session, ForgCookie automatically refreshes their access in the background, so they keep their foothold in your Microsoft account without needing you to log in again.
There is also a keyword monitor. The kit scans hijacked mailboxes for words the attacker chooses, say "invoice" or "wire transfer", and pings the operator when something juicy appears.
To keep researchers out, Forg365 checks visitors for signs of automated tools or VPN use, and redirects anyone suspicious to harmless content.
What should ordinary users do?
If you use Microsoft 365 at work, be wary of any email asking you to "verify" a code on a Microsoft page. A real gadget setup will never arrive by surprise in your inbox.
If you administer accounts, ZeroBEC's advice is practical. Turn off device-code sign-in unless your organisation actually needs it. Watch Microsoft Entra logs for device-code events, unexpected new device sign-ins and odd OAuth app approvals.
And if you suspect an account has been hit, revoke every active session and token straight away. A stolen cookie is only useful while it is still valid.



