For years, security teams have talked about AI-powered phishing as something on the horizon. That horizon has arrived — and it’s not just theoretical anymore. It’s showing up baked directly into the criminal tooling attackers use every day.

The latest example is a phishing-as-a-service (PhaaS) platform called Forg365, uncovered by researchers at email security firm ZeroBEC. Forg365 is built to steal Microsoft 365 credentials, and what makes it noteworthy isn’t just what it does — it’s how it does it, and how deeply AI has been woven into the operator’s workflow through AI-powered phishing capabilities.

What Forg365 Does

Forg365 combines two well-established Microsoft 365 attack techniques into one dashboard-driven platform:

  • Device-code phishing — Victims are shown a legitimate-looking Microsoft verification code page and walked through the real OAuth 2.0 device code flow, a method originally designed for devices like smart TVs or IoT hardware that can’t easily handle a normal browser login. Instead of stealing a password, the attacker tricks the victim into authorizing the attacker’s own device.
  • Adversary-in-the-Middle (AiTM) phishing — A proxy sits between the victim and Microsoft’s real login infrastructure, quietly capturing session cookies as authentication happens.

Once an account is compromised, a companion browser extension nicknamed “ForgCookie” keeps the access alive. It silently refreshes Microsoft SSO session cookies in the background, so the attacker doesn’t need to re-phish the victim or worry about a session timing out. That’s persistent access to a victim’s Microsoft 365 environment, running quietly in the background long after the initial click.

The platform also includes an AntiBot layer — encrypted redirectors, bot detection, sandbox checks, and code that changes shape to evade researchers — plus VPN detection that redirects investigators to harmless content instead of exposing the real phishing infrastructure.

Where AI Comes In

Here’s the part that should get every business owner’s attention: Forg365’s dashboard has AI-powered phishing email generation built directly into the same panel used to manage stolen tokens and run post-compromise operations. This integration of AI-powered phishing tools makes the platform exceptionally dangerous.

That means an attacker with relatively limited skill can log into one dashboard, generate a convincing, well-written phishing lure on the spot using AI-powered phishing features, launch the campaign, and manage the stolen accounts — all without ever leaving the interface. The researchers behind the discovery put it plainly: AI doesn’t just make phishing content better, it makes the entire platform cheaper to build and cheaper to operate.

This is the pattern we keep seeing repeat across the threat landscape in 2026. AI-powered phishing isn’t replacing attackers — it’s removing the friction that used to slow them down. Poor grammar and awkward phrasing used to be reliable phishing red flags. Building a slick PhaaS panel used to take real development skill. Both of those barriers are eroding fast thanks to AI-powered phishing advancements.

Why This Matters for Your Business

If your organization relies on Microsoft 365 — and most do — a few things from this report deserve action:

  1. Restrict or disable device-code authentication unless your organization actually has a business need for it. This is a legitimate Microsoft feature being repurposed as an attack vector in AI-powered phishing campaigns.
  2. Monitor Microsoft Entra logs for device-code authentication events. Unexpected device-code sign-ins are a strong indicator of this exact attack pattern.
  3. Watch for anomalies in mailbox rules, new device sign-ins, Authentication Broker activity, and OAuth grants. These are the fingerprints AiTM and device-code attacks leave behind.
  4. Assume session cookies can be stolen even with MFA in place. AiTM attacks are specifically designed to bypass multi-factor authentication by capturing the session after the user has already authenticated.
  5. If compromise is suspected, revoke and refresh all tokens and sessions immediately — a stolen session cookie is just as dangerous as a stolen password.

The Growing Impact of AI-Powered Phishing on Organizations

Beyond the technical details, the rise of AI-powered phishing is fundamentally changing the risk equation for businesses of all sizes. What once required skilled developers and native language proficiency can now be executed by entry-level criminals with access to user-friendly dashboards. This democratization of advanced attacks through AI-powered phishing tools increases both the volume and sophistication of threats targeting Microsoft 365 environments. Organizations must evolve their defenses accordingly, incorporating AI-aware monitoring, regular policy reviews, and ongoing employee training that accounts for these hyper-realistic lures.

This Isn’t an Isolated Incident

Forg365 is the latest entry in a trend we’ve been tracking closely on this blog. AI-powered phishing is showing up across the entire attack lifecycle — not just in phishing content, but in exploit development, agent hijacking, and firewall exploitation. A few recent examples worth revisiting:

Taken together, these stories tell a consistent story: attackers have fully embraced AI as core infrastructure, not a novelty. Forg365 just happens to be the newest, clearest proof point of AI-powered phishing in action.

The Bottom Line

AI-powered phishing platforms like Forg365 lower the skill floor for cybercrime while raising the ceiling on how convincing and persistent attacks can be. For businesses, that means the old assumptions — “our employees can spot a bad phishing email” or “we have MFA, so we’re covered” — no longer hold up on their own.

If it’s been a while since your organization reviewed its Microsoft 365 authentication policies, monitored for device-code abuse, or tested your team against a modern phishing simulation that mimics AI-powered phishing tactics, now is the time. The attackers aren’t waiting, and neither should you. Proactive steps, including advanced email security solutions, behavioral analytics, and regular simulations, are essential to stay ahead.

Concerned about how AI-enabled threats like Forg365 might affect your organization’s Microsoft 365 environment? Contact Us for a free security assessment.