Forg365-ForgCookie alliance reshapes ransomware ecosystem operations
Threat Actor Meta
Summary
Hide ▲
Show ▼
Forg365 is a phishing-as-a-service (PhaaS) operation built to steal Microsoft 365 accounts with AiTM and device-code phishing, increasing credential-theft risk for organizations that rely on Microsoft identity services. The platform also pairs phishing with AI-assisted lure generation and a browser extension that helps keep access to compromised accounts. That combination lowers the cost of running custom phishing infrastructure and extends attacker persistence after the initial login theft.
Related Happenings
Helix vishing and SharePoint data-extortion campaign
Campaign
H score38
First: 09.07.2026 20:08
Last: 09.07.2026 20:08
Sources 1
About this happening:
The **Helix** campaign is using **vishing**, **device-code phishing**, and **MFA abuse** to break into **SharePoint** environments and steal files, exposing victim organizations t...
Helix vishing and SharePoint data-extortion campaign
CampaignAbout this happening: The **Helix** campaign is using **vishing**, **device-code phishing**, and **MFA abuse** to break into **SharePoint** environments and steal files, exposing victim organizations t...
Kali365 Microsoft 365 device-code phishing campaign
Campaign
H score46
First: 25.05.2026 15:45
Last: 25.05.2026 15:45
Sources 1
About this happening:
A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Kali365 Microsoft 365 device-code phishing campaign
CampaignAbout this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
CypherLoc phishing-led browser scareware campaign
Campaign
H score49
First: 20.05.2026 13:00
Last: 20.05.2026 13:00
Sources 1
About this happening:
The **CypherLoc** operation has driven **around 2.8 million attacks** since the start of **2026**, using **phishing emails** to send users to malicious pages that lock browsers an...
CypherLoc phishing-led browser scareware campaign
CampaignAbout this happening: The **CypherLoc** operation has driven **around 2.8 million attacks** since the start of **2026**, using **phishing emails** to send users to malicious pages that lock browsers an...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
Campaign
H score39
First: 13.04.2026 21:55
Last: 13.04.2026 21:55
Sources 1
About this happening:
The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
CampaignAbout this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
OAuth device-code phishing campaign targeting SaaS accounts
Campaign
H score43
First: 04.04.2026 17:17
Last: 04.04.2026 17:17
Sources 1
About this happening:
A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
OAuth device-code phishing campaign targeting SaaS accounts
CampaignAbout this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
Timeline
-
09.07.2026 17:39 2 articles · 9h ago
Forg365 targets Microsoft 365 accounts with AiTM and device-code phishing
Initial DisclosureForg365 is a phishing-as-a-service platform that targets Microsoft 365 accounts with adversary-in-the-middle and device-code phishing, AI-assisted lure generation, and the ForgCookie browser extension for refreshing Microsoft SSO cookies to keep access to compromised Microsoft services. The platform dashboard supports campaign creation, phishing-link management, OAuth app and SMTP profile configuration, token and cookie management, AI-generated phishing email content, and mailbox keyword monitoring.
Show sources
- New Forg365 phishing platform uses AI to target Microsoft 365 accounts — www.bleepingcomputer.com — 09.07.2026 17:39
- New Forg365 phishing platform uses AI to target Microsoft 365 accounts — www.bleepingcomputer.com — 09.07.2026 17:39