Forg365: The $400-a-Month Service That Hijacks Your Work Email
Forg365, a phishing kit sold on Telegram, uses AI to impersonate familiar business tools and steal access to Microsoft 365 accounts.

Key points
- Forg365 is a phishing service offered at $400 per month as of mid-2025.
- The service uses AI to create fake emails mimicking known business tools.
- Blocking device-code authentication can reduce vulnerability to these attacks.
A new threat targeting work emails has emerged, called Forg365. This service sells a complete phishing kit for $400 a month through the messaging app Telegram. As reported by ThreatVectr, Forg365 uses artificial intelligence to craft fake emails that look like they come from business tools many people use daily, such as DocuSign and SharePoint.
The service gives criminals everything they need to hijack a Microsoft 365 account. This includes fake email templates, an automated control panel to manage stolen credentials, and even a tool that keeps access open long after a victim realizes something is wrong.
How does Forg365 work?
Forg365 attacks begin with a fake email, often pretending to be a request for a document approval. When victims click the link, they are directed through several pages before landing on one of two traps.
The first trap is a device-code attack, which tricks the user into entering a code on a seemingly genuine Microsoft login page. However, entering the code authorizes a session controlled by the attacker. The second method is an adversary-in-the-middle attack, where the service secretly relays the victim's real login to capture a session token. This token lets the attacker stay logged in even if the victim resets their password.
Security researchers from ZeroBEC found devices named



