Close Menu

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    ARToken PhaaS exposes EvilTokens’ Microsoft 365 phishing toolkit

    July 3, 2026

    Webinar: Why traditional email security is no longer enough

    July 3, 2026

    New ChocoPoC malware targets researchers via trojanized PoC exploits

    July 3, 2026
    Facebook X (Twitter) Instagram
    • Demos
    • Technology
    • Gaming
    • Buy Now
    Facebook X (Twitter) Instagram Pinterest Vimeo
    Canadian Cyber WatchCanadian Cyber Watch
    • Home
    • News
    • Alerts
    • Tips
    • Tools
    • Industry
    • Incidents
    • Events
    • Education
    Subscribe
    Canadian Cyber WatchCanadian Cyber Watch
    Home»News»ARToken PhaaS exposes EvilTokens’ Microsoft 365 phishing toolkit
    News

    ARToken PhaaS exposes EvilTokens’ Microsoft 365 phishing toolkit

    adminBy adminJuly 3, 2026No Comments5 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email


    EvilTokens

    A new phishing-as-a-service (PhaaS) platform dubbed “ARToken” appears to operate as an affiliate of the EvilTokens phishing platform, giving researchers a glimpse into an extensive toolkit designed to compromise Microsoft 365.

    Cisco Talos researchers discovered the platform while investigating phishing infrastructure used in an incident response engagement and identified a React-based management panel called “ARToken Panel” that exposed more than 80 API endpoints.

    Reverse engineering the client-side JavaScript code revealed previously undocumented capabilities that extend well beyond what you would normally find in a phishing platform.

    image

    The platform allows attackers to steal Microsoft 365 authentication tokens, establish persistent access using Primary Refresh Tokens (PRTs), and access Outlook mailboxes, SharePoint sites, and OneDrive files. It also includes tools to deploy phishing infrastructure through Cloudflare Workers and automate many aspects of business email compromise (BEC) operations.

    According to Talos’ report, multiple technical similarities strongly suggest ARToken is tied to the EvilTokens phishing platform discovered earlier this year.

    The researchers found the ARToken phishing kit uses the same API calls for Microsoft’s device code authentication flow, including an identical `POST /api/device/start` request previously associated with EvilTokens attacks.

    Talos also identified the same primary refresh token API endpoints documented in Sekoia’s EvilTokens research, including the endpoints for setting up, refreshing, renewing, and reacquiring Primary Refresh Tokens, even after they expire.

    The platform also uses a similar Cloudflare Workers deployment model and operates as a multi-tenant phishing service, in which affiliates manage their own campaigns through dedicated workspaces.

    EvilTokens focuses heavily on exploiting Microsoft’s OAuth 2.0 Device Authorization Grant authentication workflow to breach accounts, a technique known as device code phishing.

    Victims are tricked into entering a legitimate Microsoft-issued device code on Microsoft’s official device login page, causing Microsoft to issue authentication tokens directly to the attacker instead of the victim. Because the victim authenticates through Microsoft’s legitimate infrastructure, the attacks can successfully bypass multi-factor authentication protections.

    Microsoft's device code authentication login form
    Microsoft’s device code authentication login form

    Sekoia first documented the EvilTokens platform in March, describing it as a commercial phishing service sold to cybercriminals for a $1,500 setup fee and a $500 monthly subscription.

    In a follow-up report, Sekoia found an AI-driven workflow that ingests harvested mailboxes to score financial exposure, then uses AI and LLMs to draft BEC campaigns and translate stolen emails for operators working in other languages. 

    Microsoft later warned about the platform as device code phishing attacks surged dramatically, and numerous threat actors adopted the technique due to its high success rate against Microsoft 365 users.

    What sets EvilTokens apart from other device code phishing kits is its use of AI to automate fraud.

    Inside an EvilTokens affiliate platform

    Talos’ report provides a detailed overview of the functionality available to EvilTokens affiliates following a successful account compromise.

    Once a victim completes the device code authentication process, ARToken allows operators to refresh stolen tokens and elevate access to persistent primary refresh tokens (PRT).

    The researchers also found tools for conducting business email compromise attacks, including full Outlook mailbox access, the ability to send emails as compromised users, the ability to create inbox rules that automatically forward or hide messages, the ability to monitor multiple mailboxes for keywords simultaneously, and the ability to download email attachments.

    Attackers can also browse, upload, download, and manage files stored in victims’ SharePoint sites and OneDrive accounts, enabling data theft and the delivery of malware for additional attacks.

    ARToken also revealed several features not identified in previous EvilTokens research.

    Threat actors can monitor multiple hijacked mailboxes simultaneously for specific keywords, load tokens stolen from other sources, and share access to compromised accounts.

    They can also quietly set up inbox rules that hide or delete messages to cover their tracks, and use phishing pages that automatically update their content based on the victim’s location.

    ARToken phishing emails
    ARToken phishing emails
    Source: Cisco Talos

    Talos also analyzed phishing emails associated with the platform, finding that attackers impersonated legitimate vendors in invoice-themed lures targeting accounts payable employees.

    Rather than linking to an obviously attacker-controlled site, the emails display what appears to be a legitimate SharePoint address while actually directing victims to a look-alike tenant hosted within the attacker’s Microsoft 365 workspace.

    In April, Push Security reported that device code phishing attacks had surged 37-fold over the past year, with at least 11 phishing kits now offering this technique to cybercriminals.


    For organizations looking to defend against modern Microsoft 365 phishing attacks, business email compromise (BEC), and account takeovers, BleepingComputer is hosting a webinar with Abnormal titled “Stop chasing alerts: Automating email security with behavioral AI.“

    The webinar will explore how attackers use techniques such as device code phishing to bypass MFA and compromise accounts, why these attacks evade traditional email security controls, and how behavioral AI can help security teams automate the detection, investigation, and remediation of phishing and compromised account activity.


    article image

    Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

    The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

    Get the whitepaper



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleWebinar: Why traditional email security is no longer enough
    admin
    • Website

    Related Posts

    News

    Webinar: Why traditional email security is no longer enough

    July 3, 2026
    News

    New ChocoPoC malware targets researchers via trojanized PoC exploits

    July 3, 2026
    News

    Opera rolls out Paste Protect feature to fight ClickFix attacks

    July 3, 2026
    Add A Comment

    Comments are closed.

    Demo
    Top Posts

    Catchy & Intriguing

    March 17, 202677 Views

    IP Address Investigations and Local OSINT

    March 20, 202633 Views

    Defending Canada’s Digital Frontier: Combating Phishing, Social Engineering, Ransomware, and Malware

    March 23, 202632 Views
    Stay In Touch
    • Facebook
    • YouTube
    • TikTok
    • WhatsApp
    • Twitter
    • Instagram
    Latest Reviews
    85
    Featured

    Pico 4 Review: Should You Actually Buy One Instead Of Quest 2?

    January 15, 2021 Featured
    8.1
    Uncategorized

    A Review of the Venus Optics Argus 18mm f/0.95 MFT APO Lens

    January 15, 2021 Uncategorized
    8.9
    Editor's Picks

    DJI Avata Review: Immersive FPV Flying For Drone Enthusiasts

    January 15, 2021 Editor's Picks

    Subscribe to Updates

    Get the latest tech news from FooBar about tech, design and biz.

    Demo
    Most Popular

    Catchy & Intriguing

    March 17, 202677 Views

    IP Address Investigations and Local OSINT

    March 20, 202633 Views

    Defending Canada’s Digital Frontier: Combating Phishing, Social Engineering, Ransomware, and Malware

    March 23, 202632 Views
    Our Picks

    ARToken PhaaS exposes EvilTokens’ Microsoft 365 phishing toolkit

    July 3, 2026

    Webinar: Why traditional email security is no longer enough

    July 3, 2026

    New ChocoPoC malware targets researchers via trojanized PoC exploits

    July 3, 2026

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Facebook X (Twitter) Instagram Pinterest
    • Home
    • Technology
    • Gaming
    • Phones
    • Buy Now
    © 2026 ThemeSphere. Designed by ThemeSphere.

    Type above and press Enter to search. Press Esc to cancel.