Forg365 PhaaS industrializes Microsoft 365 credential theft and session hijacking
Threat Actor Meta
Summary
Hide ▲
Show ▼
Forg365 has emerged as a subscription-based phishing platform that lowers the barrier to Microsoft 365 account theft while scaling session hijacking and mailbox abuse. The ecosystem packages lure creation, delivery, evasion, token handling, and post-compromise tooling for low-skill affiliates at industrial scale.
Related Happenings
Triad Nexus investment scam and brand impersonation campaign targeting emerging markets
Campaign
H score33
First: 14.04.2026 15:00
Last: 14.04.2026 15:00
Sources 1
About this happening:
The **Triad Nexus** campaign is continuing to run **large-scale investment scams** and **brand impersonation**, expanding into **emerging markets** and driving higher fraud losses...
Triad Nexus investment scam and brand impersonation campaign targeting emerging markets
CampaignAbout this happening: The **Triad Nexus** campaign is continuing to run **large-scale investment scams** and **brand impersonation**, expanding into **emerging markets** and driving higher fraud losses...
Triad Nexus expands fraud ecosystem and shifts into emerging markets after 2025 US sanctions
Threat Actor Meta
H score43
First: 14.04.2026 15:00
Last: 14.04.2026 15:00
Sources 1
About this happening:
**Triad Nexus** expanded its fraud ecosystem after **US Treasury sanctions in 2025**, increasing operational scale and shifting into **emerging markets**. The network’s use of **U...
Triad Nexus expands fraud ecosystem and shifts into emerging markets after 2025 US sanctions
Threat Actor MetaAbout this happening: **Triad Nexus** expanded its fraud ecosystem after **US Treasury sanctions in 2025**, increasing operational scale and shifting into **emerging markets**. The network’s use of **U...
VENOM closed-access PhaaS operating model limits researcher visibility
Threat Actor Meta
H score18
First: 10.04.2026 00:37
Last: 10.04.2026 00:37
Sources 1
About this happening:
**VENOM** is operating as a **closed-access phishing-as-a-service** platform, reducing researcher visibility while supporting **underground credential theft**. The service targets...
VENOM closed-access PhaaS operating model limits researcher visibility
Threat Actor MetaAbout this happening: **VENOM** is operating as a **closed-access phishing-as-a-service** platform, reducing researcher visibility while supporting **underground credential theft**. The service targets...
EvilTokens PhaaS scales device code phishing for low-skilled cybercriminals
Threat Actor Meta
H score32
First: 04.04.2026 17:17
Last: 04.04.2026 17:17
Sources 1
About this happening:
**EvilTokens** is turning **device code phishing** into a **phishing-as-a-service** market, expanding access for **low-skilled cybercriminals** and accelerating competition among...
EvilTokens PhaaS scales device code phishing for low-skilled cybercriminals
Threat Actor MetaAbout this happening: **EvilTokens** is turning **device code phishing** into a **phishing-as-a-service** market, expanding access for **low-skilled cybercriminals** and accelerating competition among...
Venom Stealer subscription and affiliate malware-service ecosystem
Threat Actor Meta
H score36
First: 01.04.2026 16:30
Last: 01.04.2026 16:30
Sources 1
About this happening:
**Venom Stealer** is being run as a **subscription-based** malware service with **Telegram licensing** and an **affiliate program**, signaling a more organized cybercrime ecosyste...
Venom Stealer subscription and affiliate malware-service ecosystem
Threat Actor MetaAbout this happening: **Venom Stealer** is being run as a **subscription-based** malware service with **Telegram licensing** and an **affiliate program**, signaling a more organized cybercrime ecosyste...
Timeline
-
13.07.2026 16:03 2 articles · 2h ago
Forg365 targets Microsoft 365 accounts with device code phishing and AitM session theft
Initial DisclosureForg365 is a subscription-based phishing-as-a-service platform that targets Microsoft 365 accounts with device code phishing, adversary-in-the-middle (AitM) session theft, antibot evasion, AI-assisted lure creation, and post-compromise mailbox operations. The kit is distributed via Telegram for $400 a month or $3,800 per year, uses legitimate delivery infrastructure such as Amazon SES and Twilio SendGrid, exposes an operator panel at logfriend[.]com/login, and includes the ForgCookie browser extension for continued access to compromised accounts.
Show sources
- Forg365 PhaaS Targets Microsoft 365 with Device Code and AitM Session Theft — thehackernews.com — 13.07.2026 16:03
- Forg365 PhaaS Targets Microsoft 365 with Device Code and AitM Session Theft — thehackernews.com — 13.07.2026 16:03