Forg365: The AI-Powered Phishing Platform Targeting Microsoft 365 Accounts at Scale

A new phishing-as-a-service tool is using artificial intelligence to steal sessions, hijack mailboxes, and bypass MFA — putting millions of cloud users at risk

Forg365: The AI-Powered Phishing Platform Targeting Microsoft 365 Accounts at Scale

What Is Forg365 and Why Is It Different From Ordinary Phishing?

A sophisticated phishing-as-a-service platform known as Forg365 has emerged as a serious threat to organisations and individuals relying on Microsoft 365 for daily operations. Unlike conventional phishing campaigns that rely on crude impersonation and generic lure emails, Forg365 uses artificial intelligence to craft highly convincing attacks, steal session tokens, and gain persistent access to victim mailboxes — all without needing to crack a single password. The Microsoft 365 phishing attack capabilities bundled into this platform represent a worrying leap forward in the commoditisation of cybercrime.

The platform operates on a subscription model, meaning that technically unsophisticated criminals can now launch enterprise-grade attacks simply by paying a fee and pointing the tool at a target list. This democratisation of advanced phishing infrastructure is precisely what makes Forg365 so alarming for IT administrators, privacy professionals, and business owners who depend on Microsoft's cloud ecosystem. According to reporting by Cybersecurity News, the platform combines AI-powered phishing generation, session theft mechanisms, and direct mailbox access into one integrated toolkit — a convergence that significantly raises the bar for defenders.

Cybersecurity professional monitoring phishing threats on a computer screen
The rise of phishing-as-a-service platforms has lowered the technical barrier to launching sophisticated cloud account attacks

How Forg365 Executes a Microsoft 365 Phishing Attack Step by Step

Understanding the mechanics of Forg365 is essential for any IT or security team trying to defend against it. The platform's attack chain is multi-stage and carefully designed to circumvent the most common enterprise security controls, including multi-factor authentication (MFA).

The process typically begins with AI-generated phishing emails that convincingly mimic legitimate Microsoft communications — login prompts, shared document notifications, or security alerts. Because the lure content is generated and personalised using AI, traditional email filters trained on known phishing templates are far less effective at catching them. The victim is directed to a fake Microsoft 365 login page that operates as a reverse proxy, sitting between the user and the real Microsoft authentication infrastructure.

This adversary-in-the-middle (AiTM) technique is the critical innovation at play. When the victim enters their credentials and completes MFA, the session token generated by Microsoft is intercepted in real time by the Forg365 infrastructure. The attacker then uses that live session token to authenticate directly to the victim's Microsoft 365 account — completely bypassing the need to know the password or possess the MFA device. This is not a theoretical vulnerability; it is an active exploitation of how browser session management works, and it affects all forms of MFA that rely on one-time codes or push notifications.

Once inside the mailbox, Forg365 gives the operator full access: reading emails, exfiltrating contacts, setting up forwarding rules, and in many cases using the compromised account to pivot further into the organisation by sending internal phishing emails that carry far more trust than an external message would.

74%Of breaches involve human element, including phishing (Verizon DBIR)
$4.9MAverage cost of a phishing-related data breach (IBM)
300%Rise in AI-enhanced phishing campaigns over the past two years (ENISA)
400M+Microsoft 365 commercial users worldwide (Microsoft)

Phishing-as-a-Service: The Industrialisation of Credential Theft

Forg365 does not exist in isolation. It is part of a broader and rapidly expanding ecosystem of phishing-as-a-service (PhaaS) platforms that have transformed cybercrime into a subscription business. Platforms like EvilProxy, Caffeine, and Greatness have already demonstrated that AiTM-based toolkits targeting Microsoft 365 are commercially viable and widely deployed. Forg365 appears to be the latest iteration of this model, with AI capabilities layered on top of already dangerous infrastructure.

According to the European Union Agency for Cybersecurity (ENISA) Threat Landscape report, phishing remains the single most prevalent initial attack vector across European organisations, and the growing sophistication of PhaaS toolkits is a primary driver of increasing incident rates. For privacy professionals and GDPR compliance officers, this matters enormously: a successful Microsoft 365 phishing attack that results in unauthorised mailbox access almost certainly constitutes a personal data breach under Article 4 of the GDPR, triggering a 72-hour notification obligation to the relevant supervisory authority.

The Verizon Data Breach Investigations Report has consistently identified phishing and credential theft as among the top two causes of data breaches globally. With AI now accelerating both the personalisation and scale of phishing campaigns, the threat surface for organisations using cloud productivity tools like Microsoft 365 is expanding faster than most security teams can adapt.

"The shift to AI-generated phishing content is not an incremental threat — it is a categorical one. Defenders who rely on spotting grammatical errors or suspicious formatting in phishing emails will find those heuristics increasingly useless against AI-crafted lures."

— Cybersecurity analyst perspective on AI-enhanced phishing platforms

Why MFA Is No Longer Enough to Stop a Modern Microsoft 365 Phishing Attack

One of the most consequential aspects of Forg365's methodology is its ability to render traditional MFA protections ineffective. For years, the cybersecurity industry has advocated MFA as a near-mandatory control for cloud account security, and rightly so — it eliminates the vast majority of automated credential-stuffing attacks. But AiTM phishing platforms fundamentally change the calculus.

The core issue is that most widely deployed MFA methods — SMS codes, authenticator app one-time passwords, and even push notifications — protect the authentication event, not the session that follows it. Once a valid session token exists, it can be reused by anyone who possesses it, regardless of where it was created. This is not a flaw in Microsoft's implementation specifically; it reflects how the web's session management architecture was designed decades before adversary-in-the-middle phishing toolkits existed at scale.

The good news is that stronger alternatives do exist. FIDO2-compliant hardware security keys (such as YubiKeys) and passkey-based authentication are specifically engineered to resist AiTM attacks because the authentication is cryptographically bound to the legitimate origin domain. A fake Microsoft login page cannot successfully complete a FIDO2 authentication exchange because the origin domain does not match. As noted in guidance from the Microsoft Security Blog, migrating to phishing-resistant MFA is now considered the single most effective mitigation against this class of attack.

For IT decision makers evaluating their Microsoft 365 security posture, the practical implication is clear: if your MFA deployment relies on TOTP codes or push notifications, your organisation is potentially vulnerable to platforms like Forg365. Conditional Access policies that enforce compliant device requirements and Continuous Access Evaluation (CAE) can also help, as they allow Microsoft 365 to revoke session tokens more rapidly when anomalous access patterns are detected.

Person using a hardware security key for multi-factor authentication on a laptop
Hardware security keys using FIDO2 standards remain one of the most effective defences against adversary-in-the-middle phishing attacks

GDPR, Data Sovereignty, and the Cloud Security Responsibility Gap

For European organisations and those subject to GDPR, a successful Forg365 attack carries regulatory consequences that extend well beyond the immediate technical damage. Under the GDPR's breach notification framework, any unauthorised access to personal data held within a Microsoft 365 mailbox — including names, email addresses, financial correspondence, or HR records — must be assessed for risk and potentially reported to supervisory authorities within 72 hours of discovery. Failure to do so can result in fines of up to €10 million or 2% of global annual turnover, whichever is higher.

This intersection of cloud security and data sovereignty is a growing concern for privacy professionals. When an organisation migrates to Microsoft 365, it does not shed its GDPR obligations — it outsources the infrastructure while retaining full accountability for the security of personal data processed within it. Platforms like Forg365 exploit exactly this gap: Microsoft's infrastructure may be secure, but the accounts sitting on top of it are only as secure as the humans and policies protecting them.

The broader data sovereignty debate in Europe has prompted some organisations to explore alternatives that offer greater control over authentication and data residency. European cloud providers and open-source productivity suites are increasingly positioned as solutions that allow organisations to enforce stronger, locally managed authentication policies — though the migration costs and compatibility challenges remain substantial for most enterprises. Resources such as the German Federal Office for Information Security (BSI) cloud computing guidance provide useful frameworks for evaluating the security responsibilities that come with cloud adoption.

Defence Control Effective Against Forg365? Notes
SMS / TOTP MFA ❌ No Bypassed by AiTM session token theft
Push notification MFA ❌ No Session token still captured post-authentication
FIDO2 hardware key ✅ Yes Cryptographically bound to legitimate origin domain
Conditional Access + compliant device ⚠️ Partial Reduces risk; does not eliminate session token exposure entirely
Originally reported by RSS App New Cybersecurity Feed. Summarised and curated by European Purpose.