A newly identified phishing-as-a-service operation is combining two potent attack methods with AI-generated lures to systematically target Microsoft 365 accounts, creating a significant risk for organizations.

The platform, known as Forg365, automates a hybrid attack chain by pairing adversary-in-the-middle (AiTM) proxy techniques with device code authentication phishing. This fusion allows it to intercept active authentication tokens in real-time, effectively circumventing standard multi-factor authentication (MFA) defenses.

Central to its effectiveness is the use of generative AI to create tailored and convincing phishing messages. This automation lowers the technical bar for attackers, enabling large-scale campaigns that are more likely to succeed.

The emergence of Forg365 reflects a broader shift toward modular, turn-key kits in the cybercriminal underworld. By packaging complex methods into a single service, such platforms empower less skilled actors to execute advanced credential theft. The core danger is the theft of session tokens, which grant persistent access to compromised accounts without further authentication prompts.

In response, security guidance points to three immediate priorities. First, organizations should disable device code authentication flows for users who do not strictly require them, as this is a primary attack vector. Second, it is crucial to transition toward phishing-resistant MFA methods, such as FIDO2 security keys, which are immune to AiTM proxy interception. Third, defenders must bolster detection by implementing strict conditional access policies and monitoring for anomalies like impossible travel logins or unusual session token usage.

The attack pattern continues to raise important questions for defenders, notably how to reliably audit for risky device code usage and detect successful token theft that may appear as legitimate activity in logs.


一個新近識別的「釣魚即服務」行動,正結合兩種強力攻擊手法與人工智能生成的誘餌,系統性地針對微軟365帳戶,為各機構帶來重大風險。

名為Forg365的平台,透過將「中間人攻擊」代理技術與裝置代碼驗證釣魚結合,實現自動化混合攻擊鏈。這種融合使其能即時攔截活躍的驗證權杖,有效繞過標準的多因素驗證防禦。

其成效核心在於運用生成式人工智能製作出具針對性且具說服力的釣魚訊息。這種自動化降低了攻擊者的技術門檻,使大規模且更可能成功的行動成為可能。

Forg365的出現,反映網絡犯罪地下世界正朝着模組化、即用型攻擊套件方向發展。透過將複雜方法打包成單一服務,此類平台賦予技術較不足的執行者進階的憑證盜取能力。核心危險在於竊取會話權杖,這能無需進一步驗證提示即可持續存取被入侵帳戶。

作為應對,安全指引指出三個立即優先事項。首先,機構應為無嚴格需要的用戶停用裝置代碼驗證流程,因這正是主要攻擊向量。其次,過渡至具抗釣魚能力的多因素驗證方法至關重要,例如不受AiTM代理攔截影響的FIDO2安全金鑰。第三,防禦者必須透過實施嚴格的條件式存取政策,以及監測異常活動(如不可能的旅行登入或異常的會話權杖使用)來加強偵測能力。

這種攻擊模式持續為防禦者帶來重要課題,尤其是如何可靠地審計具風險的裝置代碼使用情況,以及偵測可能在日誌中顯示為合法活動的成功權杖竊取。

新聞來源 / Original News Source