Find notable cyber news and cases, enriched with sources, timelines, and signals.

Forg365-ForgCookie alliance reshapes ransomware ecosystem operations

Threat Actor Meta
First reported
Last updated
Happening score
H score 37
1 unique sources, 1 articles

Summary

Hide ▲

Forg365 is a phishing-as-a-service (PhaaS) operation built to steal Microsoft 365 accounts with AiTM and device-code phishing, increasing credential-theft risk for organizations that rely on Microsoft identity services. The platform also pairs phishing with AI-assisted lure generation and a browser extension that helps keep access to compromised accounts. That combination lowers the cost of running custom phishing infrastructure and extends attacker persistence after the initial login theft.

Related Happenings

Helix vishing and SharePoint data-extortion campaign

Campaign
H score38 First: 09.07.2026 20:08 Last: 09.07.2026 20:08 Sources 1

About this happening: The **Helix** campaign is using **vishing**, **device-code phishing**, and **MFA abuse** to break into **SharePoint** environments and steal files, exposing victim organizations t...

Kali365 Microsoft 365 device-code phishing campaign

Campaign
H score46 First: 25.05.2026 15:45 Last: 25.05.2026 15:45 Sources 1

About this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...

CypherLoc phishing-led browser scareware campaign

Campaign
H score49 First: 20.05.2026 13:00 Last: 20.05.2026 13:00 Sources 1

About this happening: The **CypherLoc** operation has driven **around 2.8 million attacks** since the start of **2026**, using **phishing emails** to send users to malicious pages that lock browsers an...

W3LL Microsoft 365 adversary-in-the-middle phishing campaign

Campaign
H score39 First: 13.04.2026 21:55 Last: 13.04.2026 21:55 Sources 1

About this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...

OAuth device-code phishing campaign targeting SaaS accounts

Campaign
H score43 First: 04.04.2026 17:17 Last: 04.04.2026 17:17 Sources 1

About this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...

Timeline

  1. 09.07.2026 17:39 2 articles · 9h ago

    Forg365 targets Microsoft 365 accounts with AiTM and device-code phishing

    Initial Disclosure

    Forg365 is a phishing-as-a-service platform that targets Microsoft 365 accounts with adversary-in-the-middle and device-code phishing, AI-assisted lure generation, and the ForgCookie browser extension for refreshing Microsoft SSO cookies to keep access to compromised Microsoft services. The platform dashboard supports campaign creation, phishing-link management, OAuth app and SMTP profile configuration, token and cookie management, AI-generated phishing email content, and mailbox keyword monitoring.

    Show sources