logo

Forg365

ID: 3887b7f7-a7d6-4111-b49b-0c6ce5af5016

STIX ID: report--3887b7f7-a7d6-4111-b49b-0c6ce5af5016

Threat Score

78/100

Uploaded: 2026-07-14

Created by: Threat Intel Test

TLP:GREEN
...
...
Forg365 is a subscription-based phishing-as-a-service (PhaaS) operation targeting Microsoft 365 accounts that combines device-code and adversary-in-the-middle phishing, antibot checks, AI-assisted lure generation, and post-compromise mailbox tooling. Distributed via Telegram, the platform abuses legitimate email delivery infrastructure (e.g., Amazon SES, SendGrid), supports token and cookie harvesting (including a Chromium extension, ForgCookie, for automatic SSO cookie refresh), and provides an operator panel for campaign management and persistence, lowering the skill barrier for large-scale account takeover and lateral phishing. Recommended mitigations include blocking unnecessary device-code authentication, auditing mailbox artifacts and mail-flow rules, and decommissioning legacy aliases.