Forg365 industrializes phishing to Microsoft 365 with AI

Learn how Forg365 uses AI to automate phishing to Microsoft 365, evading security controls and complicating the response. Learn to protect yourself.

15 jul 2026 • 4 min read • Q2BSTUDIO Team

The rise of phishing-as-a-service with artificial intelligence

The cybercrime ecosystem is evolving at a dizzying pace, and one of the most worrying trends is the industrialization of phishing. Until recently, launching a credential theft campaign required considerable technical knowledge. However, platforms like Forg365 are changing the rules of the game by offering a full phishing service as a subscription, distributed via Telegram and powered by artificial intelligence. This model allows even inexperienced attackers to compromise Microsoft 365 accounts in an automated way, evading traditional security controls and maintaining access even after a password change. For businesses, this poses a direct threat to their critical infrastructure, and understanding how it works is the first step to defending themselves.

Forg365 is not a simple phishing kit; is an industrialized platform that integrates everything from AI-assisted lure creation to post-engagement management. Attackers can build convincing messages that mimic legitimate services such as DocuSign, Adobe Acrobat Sign, SharePoint, or OneDrive, using pre-built templates. Artificial intelligence adjusts content to make it more credible, increasing the success rate. Once the victim interacts, the system classifies the visitor: if they look like a researcher or an automated tool, they are redirected to a harmless page; If it's a real target, a device code attack or adversary-in-the-middle is deployed. This selective approach hides malicious activity and makes early detection difficult.

The technical heart of Forg365 lies in two key techniques. On the one hand, the device code attack takes advantage of Microsoft's legitimate authentication: the victim enters a code on an official page, granting access to the attacker without the need to share the password. On the other hand, the man-in-the-middle attack captures credentials and session cookies in real-time. In addition, a browser extension called ForgCookie allows single sign-on cookies to be generated and refreshed from the attacker's browser, ensuring persistence even if the password is reset. This level of sophistication makes Forg365 a dangerous tool, especially since it is marketed as a turnkey service with free trials and monthly or yearly subscriptions.

The implications for enterprise cybersecurity are enormous. A successful attack can result in inbox monitoring, exfiltration of sensitive data, or lateral movement within the organization. Incident response teams face an additional challenge: sessions maintained using cookies or refresh tokens are not deleted with a simple password change. All active tokens need to be revoked, logged out, and registered devices must be audited. Some of these devices, according to research, carry names that include "Forg365," which offers a hint of compromise, but it is not always easy to identify them.

In the face of this threat, organizations must take a defense-in-depth approach. A priority measure is to restrict the use of device passcode authentication in Microsoft Entra ID, unless it is strictly necessary for command-line tools or conference room systems. In parallel, implementing phishing-resistant authentication methods, such as FIDO2 or WebAuthn security keys, drastically reduces the attack surface. These solutions, while requiring investment and change management, are critical to protecting identities. In addition, it's crucial to monitor for anomalous activity, such as repeated silent logins or Graph API activity from unusual addresses. Mail forwarding rules and delegated permissions should be reviewed periodically.

In this context, having the support of a specialized technology partner makes all the difference. Q2BSTUDIO offers cybersecurity and pentesting services that help companies assess their security posture before attackers do. Through simulations of real attacks, vulnerability analysis and audits of cloud configurations, it is possible to identify weaknesses in authentication processes and identity management. The Q2BSTUDIO experience in Microsoft 365 and Azure environments allows you to design custom controls, such as restricting authentication flows and configuring Conditional Access policies. In addition, integrating AI for business into monitoring solutions can automate the detection of suspicious patterns, reducing response time.

The fight against platforms like Forg365 is not limited to technical patches. It requires a global strategy that combines user training, updating security policies, and the adoption of advanced technologies. Businesses that still rely on traditional passwords or SMS-based multi-factor authentication are especially vulnerable. Migrating to passwordless methods and employing AI agents for continuous session monitoring are steps in the right direction. In addition, AWS and Azure cloud services can be configured with zero-trust architectures, where each access is independently verified.

Business intelligence tools, such as Power BI, can also play an important role in cybersecurity. By centralizing activity logs and applying visual analytics, security teams can detect anomalies in login patterns or shared resource usage. Q2BSTUDIO, with his expertise in business intelligence services, helps build dashboards that alert on unusual behavior, integrating data from multiple sources such as Azure AD, Microsoft 365, and network logs.

Custom application development and custom software for security is also a viable option for organizations with specific needs. Rather than relying solely on business tools, you can create tailored solutions that automate incident response or granularly manage access permissions. Q2BSTUDIO has a team specialized in cross-platform application development, capable of integrating security modules directly into business workflows.

In short, Forg365 represents the new generation of phishing-as-a-service, where AI and automation lower the barriers to entry for cybercriminals. Companies must react with robust technical measures, continuous training and strategic alliances with trusted suppliers. Cybersecurity is no longer an isolated department, but an essential component of business strategy. With the right support, it is possible to anticipate these threats and protect the organization's most valuable assets.

A BREAK?

Play for a moment before you go

OUR SERVICES

How we can help you

Do you have a project in mind?

Tell us your vision and we'll turn it into a software solution. Whatever the scope, we make your idea real.