ARToken Phishing Platform Exposes Microsoft 365 Token Theft Toolkit
ARToken phishing platform is a newly discovered phishing-as-a-service tool built to steal Microsoft 365 authentication tokens and support business email compromise attacks.
Researchers at Cisco Talos uncovered ARToken during an incident response investigation into phishing infrastructure. The platform appears to operate as an affiliate or offshoot of EvilTokens, another phishing service focused on Microsoft 365 account compromise.
Talos researchers found a React-based management interface called ARToken Panel. The panel exposed more than 80 API endpoints, giving researchers a detailed look at the platform’s phishing, token theft, mailbox access, and file management features.
ARToken Goes Beyond a Typical Phishing Kit
ARToken does more than host fake login pages.
The platform targets Microsoft 365 authentication tokens and gives attackers tools to maintain access after the initial compromise. It can refresh stolen tokens, elevate access into Primary Refresh Tokens, and help operators keep control of hijacked accounts.
This makes the platform useful for longer business email compromise campaigns, not just one-time credential theft.
Through ARToken, attackers can access Outlook mailboxes, SharePoint sites, and OneDrive files. They can also manage phishing infrastructure, monitor compromised accounts, and run multi-tenant campaigns through dedicated affiliate workspaces.
Links Between ARToken and EvilTokens
Talos found several technical links between ARToken and EvilTokens.
ARToken uses the same Microsoft device code authentication API calls previously connected to EvilTokens. Researchers also found the same Primary Refresh Token-related endpoints that appeared in earlier EvilTokens research.
Both platforms use a similar Cloudflare Workers deployment model. ARToken also appears to support an affiliate structure, where different operators manage their own phishing campaigns through separate workspaces.
These overlaps suggest ARToken may not be a completely separate platform. Instead, it may work as an affiliate version, offshoot, or related service in the same phishing ecosystem.
How Device Code Phishing Works
EvilTokens focuses heavily on Microsoft’s OAuth 2.0 Device Authorization Grant workflow, also known as device code phishing.
In this attack, victims do not enter credentials into a fake login page. Instead, attackers trick them into entering a legitimate Microsoft-issued code on Microsoft’s real device login page.
After the victim signs in, Microsoft issues authentication tokens. Attackers can then abuse those tokens to access the victim’s Microsoft 365 account, bypassing multi-factor authentication.
What ARToken Lets Attackers Do
After a victim completes device code authentication, ARToken gives operators a broad set of account takeover tools.
Attackers can refresh stolen tokens and convert access into persistent Primary Refresh Tokens. They can open Outlook mailboxes, send emails as compromised users, and create inbox rules to forward, hide, or delete messages.
These features make ARToken especially dangerous for business email compromise operations. Attackers could use compromised accounts to impersonate employees, continue vendor conversations, or search for payment-related emails.
SharePoint and OneDrive Access Raises Data Theft Risk
ARToken also includes SharePoint and OneDrive capabilities.
Attackers can browse corporate files stored in Microsoft 365 environments. They can upload, download, and manage files inside compromised accounts.
New ARToken Features Found by Talos
Talos identified ARToken features that earlier EvilTokens research had not documented.
The platform can monitor multiple hijacked mailboxes at once. It can load tokens stolen from other sources and share access to compromised accounts between operators.
ARToken can also create stealthy inbox rules that hide attacker activity. These rules can forward, delete, or suppress messages so victims do not notice suspicious account behavior.
Another notable feature lets operators serve phishing pages that change based on the victim’s location. This can make phishing campaigns look more convincing and harder to detect.
Invoice-Themed Phishing Lures Target Accounts Payable Teams
Talos also found phishing emails connected to the activity.
The emails impersonated legitimate vendors and used invoice-themed lures. Attackers targeted accounts payable employees, a common group for business email compromise because they handle payments, invoices, and vendor communication.
The emails appeared to show legitimate SharePoint links. However, the links redirected victims to a look-alike Microsoft 365 tenant controlled by the attackers.
This tactic can make the phishing attempt look more credible than a basic fake Microsoft login page on an attacker-controlled domain.
Microsoft 365 Device Code Phishing Is Growing
The ARToken discovery highlights a broader increase in device code phishing attacks against Microsoft 365 users.
Attackers favor this method because it can work even when multi-factor authentication is enabled. It also uses Microsoft’s legitimate login flow, which can make the attack harder for users to recognize.
For organizations, the main risk is no longer just stolen passwords. Token theft can give attackers direct access to mailboxes, files, and cloud services without needing the victim’s password again.
In other security news, CISA has warned about an exploited SharePoint flaw, Microsoft has warned Japanese hotels about malicious email complaints, and a malicious Perplexity AI Chrome extension has been removed from the Chrome Web Store.
Via BleepingComputer
Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more
User forum
0 messages