TL;DR: A global crackdown on fraud networks led to 5,811 arrests and $293 million in seized assets, while Forg365 used device-code phishing and a persistence extension to keep Microsoft 365 access alive without reauthentication, according to SentinelOne. The pattern shows that identity abuse now spans fraud, human account takeover, and espionage, not just one threat class.
NHIMG editorial — based on content published by SentinelOne: The Good, The Bad, and The Ugly identity and fraud cases
Questions worth separating out
Q: How should security teams reduce device code phishing risk in Microsoft 365 environments?
A: Security teams should limit device-code authentication to approved use cases, pair it with compliant-device requirements, and add sign-in detections for unusual polling, consent, and post-login mailbox activity.
Q: Why do OAuth grants create persistence even after a password is changed?
A: OAuth grants and refresh tokens can remain valid independently of the original password, which means an attacker can keep accessing services without reusing the stolen credential.
Q: What breaks when attackers use trusted authentication flows for initial access?
A: Traditional password-centric controls break because the login itself is no longer the malicious act.
Practitioner guidance
- Restrict high-risk authentication flows Disable device-code authentication unless a business process genuinely requires it, and monitor for unexpected device-code approvals in Entra sign-in logs.
- Review token persistence after compromise When an account is suspected of compromise, revoke OAuth grants, refresh tokens, and active sessions together instead of relying on password resets alone.
- Treat browser-based persistence as an access control issue Look for malicious extensions, hidden OAuth prompts, and other client-side mechanisms that keep reissuing access after the initial phishing event.
What's in the full analysis
SentinelOne's full article covers the operational detail this post intentionally leaves for the source:
- The full fraud section includes the breakdown of Operation First Light 2026, including the coordinated law-enforcement structure and recovery actions.
- The Microsoft 365 section includes the Forg365 workflow, device-code abuse sequence, and the session-persistence mechanics behind ForgCookie.
- The espionage section includes the named malware families, the compromised systems, and the indicators tied to the Pakistani law-enforcement intrusions.
- The source article also adds the operational context behind the arrests, frozen wallets, and cross-border enforcement coordination.
👉 Read SentinelOne's analysis of fraud networks, Forg365 phishing, and espionage activity →
Identity abuse across fraud, phishing, and espionage: what teams missed?
Explore further
Identity abuse is now the common operating layer across fraud, phishing, and espionage. The article is not really about three separate problems. It is about how attackers keep finding ways to convert trust into durable access, whether the target is money, credentials, or intelligence. For practitioners, the conclusion is that identity controls must be designed around abuse of valid access, not only blocked logins.
A few things that frame the scale:
- Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption, according to the 2026 Infrastructure Identity Survey.
- 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems.
A question worth separating out:
Q: Who is accountable when a compromised identity is used for intrusion and exfiltration?
A: Accountability sits with the teams that own identity lifecycle, access governance, and incident response, because they control the evidence needed to confirm abuse and the controls needed to limit it. Frameworks such as MITRE ATT&CK, NIST incident handling guidance, and zero trust principles all assume identity events can be observed and acted on.
👉 Read our full editorial: Fraud, phishing, and espionage show identity abuse at scale