🟠 High  |  Source: The Hacker News


Forg365 is a phishing-as-a-service platform sold via Telegram for $400/month that targets Microsoft 365 accounts using device code phishing and adversary-in-the-middle techniques to steal authenticated sessions, bypassing MFA entirely. It also incorporates AI-generated lures and antibot evasion to increase success rates and avoid detection. This is significant because it industrialises sophisticated attack techniques, lowering the barrier for threat actors to compromise enterprise M365 tenants at scale.

Security Architect’s Take: Disable device code flow authentication in Azure AD Conditional Access policies unless explicitly required, and enforce Continuous Access Evaluation (CAE) with token binding where possible to limit the usefulness of stolen session tokens. Monitor for anomalous OAuth token usage and unfamiliar device registrations as indicators of device code phishing attempts.

Original advisory: Forg365 PhaaS Targets Microsoft 365 with Device Code and AitM Session Theft