Cybercriminals have weaponized Microsoft’s own device code authentication flow to hijack Microsoft 365 sessions, and a new phishing-as-a-service kit called Forg365 is making the attack accessible to low-skill hackers. According to researchers at ZeroBEC, who uncovered the platform in early 2026, Forg365 is distributed via Telegram bots and automates the entire device-code phishing process—from tricking victims into entering a legitimate-looking code to capturing authentication tokens that grant full access to email, files, and messages.

The Attack: How Forg365 Exploits Device Codes

Device code authentication exists for a simple reason: not every device has a browser. When you try to sign into a smart TV, a command-line tool, or an IoT gadget with your Microsoft 365 account, the device displays a short alphanumeric code and asks you to visit microsoft.com/devicelogin on a separate device to enter it. Behind the scenes, the device polls Microsoft’s servers, and once you approve the sign-in, it receives a token that grants access without ever handling your password directly.

Forg365 abuses this legitimate flow. An attacker initiates a device code request for a Microsoft 365 tenant—often a generic one—and obtains a user code and a verification URL. The attacker then sends that code to the target, usually through a phishing email or a messaging app, claiming it is needed for a critical security update, a shared document access, or an IT support action. The message includes a link to the real Microsoft login page, making the ruse hard to spot.

When the victim enters the code, they see a standard consent prompt asking them to sign in and grant permissions to an application—often one the attacker controls. Once they approve, the attacker’s device receives a session token that bypasses multifactor authentication entirely. The token can then be used to access the victim’s Microsoft 365 account, including Exchange Online, SharePoint, OneDrive, and Teams, as long as it remains valid.

Forg365 automates this entire workflow. ZeroBEC’s analysis shows that the service is sold as a subscription through Telegram channels, with support for multiple tenants, customizable phishing pages, and real-time token capture. The kit even includes tutorials and technical support, lowering the barrier to entry for would-be attackers who have no programming skills.

Who’s at Risk: Implications for Users and Admins

Device-code phishing does not rely on stealing passwords or cracking MFA. It tricks users into authorizing a malicious device outright. For businesses, the consequences are severe: an attacker with a valid session token can read and exfiltrate emails, search SharePoint libraries, download sensitive files, and impersonate the victim in Teams chats. Because the token remains valid even if the user later changes their password, the breach can persist undetected for hours or days.

For end users: The primary danger is social engineering. Attackers often create urgency—a looming deadline, a fake IT alert, or a request from a manager—to push victims into entering the code without thinking. The phishing message might come from a compromised colleague’s account, making it even more convincing. Once the token is stolen, the user may see no obvious sign of compromise on their end; their session will continue to work normally.

For IT administrators: The challenge is that device-code flows are not easily distinguishable from normal logins in standard sign-in logs. However, Azure AD (now Microsoft Entra ID) does log device-code events. The key indicator is the authentication protocol field showing “device code” or the application ID of the client requesting a token. Many organizations overlook these signals because device code authentication is less common than browser-based or native app sign-ins. Attackers using Forg365 can abuse tenants they control to generate codes, further muddying the logs by not directly targeting the victim’s home tenant until after the token is obtained.

For developers: Applications that use the device code flow—such as PowerShell scripts, CLI tools, or IoT integrations—are not inherently vulnerable, but their reliance on user consent makes them a vector. Developers should ensure their apps register in Entra ID with minimal permissions and clearly identify themselves in consent prompts. Overprivileged app registrations abused in phishing can give attackers a wider foothold.

The Bigger Picture: Phishing-as-a-Service Goes Mainstream

Device-code phishing is not new. Microsoft documented the risk in 2020, and sporadic campaigns have been observed since, including one targeting government agencies in 2023. But the commoditization seen with Forg365 marks a significant shift. By packaging the technique into a ready-to-use Telegram bot, the operators have turned a sophisticated attack into a point-and-click operation.

The rise mirrors other PhaaS trends—like adversary-in-the-middle kits that bypass MFA by proxying logins in real time. As organizations adopt stronger authentication, attackers adapt by moving the point of compromise further down the chain, from passwords to session tokens. Forg365 is part of an ecosystem that now offers phishing kits for almost every cloud platform, sold on the same Telegram channels that trade in stolen credentials and malware.

The use of Telegram as a distribution and control channel is a double-edged advantage for criminals: it provides end-to-end encryption, bot APIs that simplify automation, and a large, pseudonymous user base that makes takedowns difficult. ZeroBEC noted that the Forg365 bots operate 24/7, processing victims across multiple time zones with minimal human oversight.

Defense: What You Can Do Right Now

Eliminating device-code phishing requires a mix of technical controls and user education. Here are the most effective steps for admins, in order of impact:

  1. Audit sign-in logs for device code activity. In the Microsoft Entra admin center (or Azure AD portal), query sign-in logs filtered by “Authentication protocol: Device code.” Look for unusual source IPs, unexpected app IDs, or spikes outside normal usage patterns. If you don’t legitimately use device code authentication, these events should be nonexistent—any occurrence warrants investigation.

  2. Block or restrict device code flows with Conditional Access. If your organization has no need for device code authentication, you can disable it entirely by configuring a Conditional Access policy that blocks the “Device code flow” grant. For those who must allow it, restrict it to trusted locations or compliant devices, and require stronger session controls like continuous access evaluation.

  3. Harden your app registrations. Review any app registrations in your tenant that use the device code grant. Ensure they request the minimum necessary permissions and are published to a limited set of users. Delete unused or overprivileged registrations that attackers could exploit.

  4. Educate users about the “code trap.” Your training should now explicitly cover device code phishing. Teach users that Microsoft or your IT department will never ask them to enter a code on a provided link unless they themselves initiated the request on a device they control. They should treat any unsolicited code prompt as a red flag and report it immediately.

  5. Enable Azure AD Identity Protection. The “unfamiliar sign-in properties” and “token issuer anomaly” detections can flag sessions granted from unexpected locations or through uncommon flows, though they may not catch all device-code tricks. Combine them with automated remediation, like requiring a password change or revoking sessions.

  6. Limit token lifetime. Reduce the validity period of session tokens where possible. In Entra ID, you can configure token lifetime policies—though they apply broadly—to force reauthentication more frequently, which limits the window an attacker can exploit a stolen token.

Looking Ahead

Forg365 will not be the last phishing kit to target cloud authentication protocols. As long as platforms like Microsoft 365 support device code flows—and they must, for the many legitimate scenarios—attackers will find ways to abuse them. Microsoft has improved detection and introduced more granular Conditional Access controls, but the fundamental vulnerability lies in human trust. The most sophisticated technical defenses can be undone by a well-timed phishing message.

The immediate concern is the growing accessibility of these kits on Telegram. When attacks that once required deep knowledge of OAuth flows become a subscription service, the volume of incidents will rise. Organizations that rely solely on MFA as a silver bullet are most at risk. The lesson from Forg365 is clear: protect the session, not just the password.