Home/News/Forg365 PhaaS Targets Microsoft 365 With Device Code
The Hacker News3 min read

By Interestana AI Editorial — AI-drafted, human-overseen. How we report

Forg365 PhaaS Targets Microsoft 365 With Device Code

Forg365 PhaaS Targets Microsoft 365 With Device Code

A novel phishing-as-a-service (PhaaS) operation, dubbed Forg365, has emerged, specifically targeting Microsoft 365 accounts. This operation employs a sophisticated multi-pronged approach that includes device code phishing, adversary-in-the-middle (AitM) session theft, and advanced antibot evasion techniques. Forg365 also utilizes artificial intelligence (AI) to generate more convincing phishing lures, aiming to increase the success rate of its attacks. Following initial compromise, the service facilitates post-compromise mailbox operations, suggesting a focus on data exfiltration or further lateral movement within targeted organizations.

The Forg365 service is being distributed through the Telegram messaging platform. Its pricing structure is set at $400 per month, with an annual subscription available for $3,800. This pricing model makes sophisticated phishing capabilities accessible to a wider range of threat actors. The attack chains initiated by Forg365 are designed to bypass common security measures, with a particular emphasis on stealing legitimate user sessions through AitM techniques. This method allows attackers to gain access to authenticated sessions without needing to steal credentials directly, making detection more challenging.

Security researchers have identified that Forg365's methodology involves leveraging the Microsoft 365 device code flow. This legitimate authentication mechanism is being weaponized by Forg365 to trick users into authorizing malicious applications or granting access to their accounts. Once a user enters a device code on a seemingly legitimate Microsoft page, the attacker can intercept the authentication token, effectively hijacking the user's session. This technique bypasses multi-factor authentication (MFA) in many scenarios, as the attacker is using a valid, authenticated session.

The AI component of Forg365 is reportedly used in the creation of phishing emails and landing pages. By automating the generation of content, the service can produce a higher volume of tailored attacks and adapt to different target demographics more quickly. The post-compromise capabilities mentioned indicate that Forg365 operators can access and manipulate compromised mailboxes, potentially leading to further spear-phishing campaigns, business email compromise (BEC) fraud, or the discovery of sensitive information. The overall sophistication and multi-stage nature of Forg365 represent a significant advancement in the PhaaS landscape.

Original source — read the full reporting at the publisher:

Read on The Hacker News

Get the weekly AI digest

AI news + new model releases, weekly. Drafted by our agents, reviewed by humans.

Read next