IntelSecurity IncidentIT
HIGHSecurity Incident·priority

AI-powered phishing, elite NSA hacking relabeling, and new ransomware—are cyber threats accelerating?

Intelrift Intelligence Desk·Thursday, July 9, 2026 at 03:06 PMEurope7 articles · 7 sourcesLIVE

A new phishing-as-a-service platform called Forg365 is being marketed to steal Microsoft 365 accounts by combining adversary-in-the-middle (AiTM) and device code techniques, while using AI-assisted lure generation to improve conversion rates. The report frames Forg365 as a turnkey capability that lowers the skill barrier for credential theft and session hijacking, targeting one of the most widely deployed enterprise identity stacks. In parallel, cybersecurity researchers flagged a new ransomware family, GodDamn, which uses a PoisonX kernel driver to disable endpoint defenses as part of its defense-evasion workflow. Separately, the NSA reportedly revived the “Tailored Access Operations” (TAO) name for its elite hacking unit, changing the moniker from the Office of Computer Network Operations (CNO) back to TAO. Taken together, the cluster points to a cyber threat environment where offensive tooling is becoming more automated and scalable, while major intelligence services continue to refine operational branding and tradecraft. Forg365’s focus on Microsoft 365 implies that the most valuable “crown jewels” for many organizations—identity, email, and collaboration—are being targeted through increasingly efficient social-engineering funnels. GodDamn’s kernel-driver approach suggests attackers are investing in deeper host-level control rather than relying solely on user-clicked malware, which raises the likelihood of faster containment failures. The NSA’s TAO relabeling is not a policy change by itself, but it signals continuity of high-end access operations that can shape defensive priorities for governments and critical infrastructure operators. Market and economic implications are likely to concentrate in cybersecurity spending, cloud identity security, and endpoint protection. Enterprises may increase budgets for Microsoft 365 hardening, conditional access, phishing-resistant authentication, and EDR/AV upgrades, which can support vendors tied to identity governance and endpoint defense. While the articles do not provide direct price moves, the risk profile can translate into higher demand for incident response services and managed detection and response (MDR), and potentially into elevated insurance premiums for cyber risk. On the AI side, OpenAI’s claim of a 54% token-efficiency improvement for agentic coding and Meta’s push into AI coding markets intensify the competitive pressure to deploy faster automation—benefiting both legitimate developers and, potentially, adversaries who can weaponize similar capabilities. What to watch next is whether defenders see a measurable uptick in Microsoft 365 account takeovers using AiTM/device-code flows, and whether GodDamn samples expand beyond initial victims with repeatable driver-based disablement. Key indicators include spikes in anomalous device-code approvals, unusual OAuth consent patterns, and endpoint telemetry consistent with PoisonX driver behavior. For executives, trigger points should include any detection of TAO-linked threat activity in intelligence feeds, plus internal audit findings showing gaps in MFA coverage, token binding, and endpoint tamper protections. Over the next days to weeks, the escalation path depends on whether Forg365’s PaaS adoption grows and whether ransomware operators successfully chain initial access into rapid lateral movement and encryption—raising the probability of broader operational disruption.

Geopolitical Implications

  • 01

    Identity-centric targeting (Microsoft 365) increases cross-border cyber risk for governments and multinational firms, raising the likelihood of diplomatic friction after incidents.

  • 02

    Kernel-driver ransomware suggests a shift toward more persistent, system-level compromise that can disrupt critical services and complicate attribution and response.

  • 03

    Intelligence-service operational continuity (NSA TAO) can influence defensive postures and procurement priorities across allied states.

  • 04

    Privacy enforcement (Italy’s fine) highlights regulatory pressure on AI deployments, which can affect how quickly AI tools are adopted and monitored.

Key Signals

  • Telemetry spikes in device-code approvals and anomalous OAuth consent patterns tied to Microsoft 365 sessions
  • Endpoint detections consistent with PoisonX driver behavior and subsequent security-tool disablement
  • Threat-intel reporting of Forg365 infrastructure expansion and reuse of lure templates
  • Regulatory follow-on actions in Europe regarding age checks and AI governance for conversational systems

Topics & Keywords

Forg365phishing-as-a-serviceMicrosoft 365AiTMdevice codeGodDamn ransomwarePoisonX driverNSA TAOTailored Access OperationsCharacter.AI age-checkForg365phishing-as-a-serviceMicrosoft 365AiTMdevice codeGodDamn ransomwarePoisonX driverNSA TAOTailored Access OperationsCharacter.AI age-check

Market Impact Analysis

Premium Intelligence

Create a free account to unlock detailed analysis

AI Threat Assessment

Premium Intelligence

Create a free account to unlock detailed analysis

Event Timeline

Premium Intelligence

Create a free account to unlock detailed analysis

Related Intelligence

Full Access

Unlock Full Intelligence Access

Real-time alerts, detailed threat assessments, entity networks, market correlations, AI briefings, and interactive maps.