A sophisticated phishing-as-a-service operation has been discovered targeting Microsoft 365 accounts using artificial intelligence (AI). The platform, called Forg365, leverages adversary-in-the-middle (AiTM) and device code methods with AI-assisted lure generation to steal sensitive information from unsuspecting victims.
### Forg365’s Advanced Features
Researchers at ZeroBEC email security company analyzed the phishing emails sent by Forg365 and found that they were carefully crafted to mimic trusted services. The observed sender domain used Amazon SES delivery, while the message body included SendGrid-hosted image or tracking resources. This combination of legitimate services and phishing infrastructure indicates a mature PhaaS operation capable of blending its messages into regular email traffic.
The platform features device-code phishing, AiTM phishing, AI-assisted email content generation, token and cookie management, and post-compromise operations. The researchers obtained access to the Forg365 dashboard, which allows creating new phishing campaigns, managing phishing links, configuring OAuth apps and SMTP profiles, managing tokens, and generating phishing emails with the help of AI.
### AI Integration for Custom Phishing Content
The integration of AI in crafting custom phishing lures is a strategic move by Forg365. The feature reduces the cost of developing custom phishing content, but it also reduces the cost of building custom PhaaS platforms. This means that attackers can create sophisticated phishing campaigns without requiring extensive technical expertise.
### Browser Extension for Persistent Access
The platform provides a browser extension called ForgCookie, which is compatible with Google Chrome, Microsoft Edge, and Brave. The extension automatically refreshes Microsoft SSO cookies, providing the attacker with persistent access to the Microsoft services associated with the victim’s account.
### Attack Paths and Detection Evasion
Forg365 supports two primary attack paths: device-code phishing and AiTM phishing. In the first case, victims are tricked into authorizing an attacker-controlled gadget through the legitimate OAuth 2.0 device code flow authentication method. For AiTM phishing, the platform uses a proxy for the authentication requests and data exchanged between the Microsoft infrastructure and the target account.
To prevent researchers from accessing the administration panel, Forg365 has an AntiBot feature that boasts AES-encrypted redirectors, bot detection, debugger traps, sandbox checks, and polymorphic code. Additionally, when a VPN connection is detected, the platform redirects to innocuous content instead of exposing the phishing pages.
### Recommendations for Prevention and Detection
To prevent successful attacks, users are recommended to restrict or disable Microsoft device-code authentication unless required. Monitoring Microsoft Entra logs for device-code authentication events is also crucial. Mailbox rules, new device sign-ins, Microsoft Authentication Broker activity, and OAuth grants must be investigated for unexpected entries.
If a compromise is suspected, all tokens and sessions must be revoked and refreshed as soon as possible.
### Conclusion
The Forg365 phishing platform is a sophisticated operation that uses AI to target Microsoft 365 accounts. Its advanced features and detection evasion techniques make it a challenging threat for security teams to detect and prevent. It is essential for organizations to remain vigilant and take proactive measures to protect their users’ sensitive information.
Source: Original article