Security researchers disclosed Forg365, a new phishing-as-a-service platform targeting Microsoft 365 accounts that combines two distinct authentication-bypass techniques — adversary-in-the-middle session proxying and Device Code Flow OAuth abuse — within a single criminal subscription service, and differentiates itself from competing platforms through AI-generated lure content that reduces the manual effort required for personalized phishing while scaling to mass targeting.
Forg365’s Dual Authentication Bypass Architecture
Most phishing-as-a-service platforms targeting Microsoft 365 accounts commit to a single attack method: either they proxy authentication sessions to steal cookies and bypass MFA, or they abuse OAuth flows to harvest tokens without presenting a traditional login page. Forg365 combines both within the same platform, giving criminal operators two distinct paths into M365 accounts from a single service subscription.
The dual-method architecture addresses a practical operational problem for criminal operators: organizations deploy different defensive configurations, and a Conditional Access policy or security control that blocks one method may not block the other. A criminal operator running Forg365 does not need to maintain two separate toolkits or switch between services when they encounter an organization with specific authentication controls — they switch methods within the same platform.
Forg365’s AiTM Session Proxying as the Primary MFA Bypass
The adversary-in-the-middle component operates by positioning a Forg365-controlled proxy between the victim and Microsoft’s authentication infrastructure. When a victim visits a Forg365-generated phishing page and enters their credentials, those credentials pass through to the real Microsoft login — which means Microsoft’s MFA challenge fires and the victim completes it. The proxy intercepts the resulting session cookie, which represents an already-authenticated M365 session that an attacker can then use directly without ever possessing the victim’s password or re-authenticating.
Session cookie theft bypasses MFA because the MFA check already happened — the stolen cookie represents a post-authentication session state. Traditional credential phishing captures a username and password but then fails at the MFA gate. AiTM session proxying captures the session state after the MFA gate, making the MFA check irrelevant to the attacker’s ability to access the account.
Device Code Flow as the Fallback When Conditional Access Blocks AiTM
Organizations that have deployed Conditional Access policies configured to detect or block session proxying — including policies that check for impossible travel, unfamiliar network locations, or session replay — may block or flag AiTM-based attacks. Forg365’s Device Code Flow method provides an alternative that does not involve a session proxy. As with the Helix threat group’s use of the same technique, Forg365’s Device Code Flow attacks direct the victim to enter a generated code at Microsoft’s own login infrastructure, resulting in a token issued through a legitimate authentication event rather than through a proxied session.
The two methods produce access credentials through different technical paths, which means the Conditional Access rules designed to detect one approach may not detect the other. Forg365 operators can attempt the AiTM path first and fall back to Device Code Flow if access controls indicate the proxy method is likely to fail.
AI-Generated Lures as Forg365’s Competitive Differentiator
The feature that distinguishes Forg365 from competing M365 PhaaS platforms including EvilProxy, Tycoon 2FA, and Mamba 2FA is the integration of AI-assisted lure generation. The platform generates phishing lure content tailored to the apparent industry, branding patterns, and communication conventions of the target organization — reducing the manual research and content creation work that would normally be required to produce a convincing spear-phishing message.
For criminal operators running Forg365 against high-volume target lists, AI lure generation addresses the scaling problem of personalized phishing: a convincing, targeted lure requires organizational context that takes time to research, while a generic template produces lower conversion rates because recipients more easily identify it as phishing. AI-generated lures aim to produce contextually plausible content at template-level speed, narrowing the gap between mass phishing and targeted spear-phishing.
Forg365 in the M365 Criminal Phishing Ecosystem
Microsoft 365 is the target of choice for PhaaS platforms because a single compromised account provides access across Outlook email, Teams conversations, OneDrive files, SharePoint documents, and integrated business applications. The value is both immediate — business email compromise, invoice fraud, data access — and secondary, as internal communications and access patterns provide intelligence for follow-on attacks against the organization or its contacts.
The M365 PhaaS market has expanded over several years to include EvilProxy, Tycoon 2FA, and Mamba 2FA, each with established criminal customer bases. Forg365’s dual-method architecture and AI lure capability represent the current escalation point in the competitive development of M365 credential theft infrastructure, aimed at out-performing rival platforms on the defensive evasion and personalization dimensions that determine attack success rates.
