ARToken: Unpacking the Advanced Toolkit of an EvilTokens Affiliate Targeting Microsoft 365
A new phishing-as-a-service (PhaaS) platform, **ARToken**, has been identified as an affiliate of the notorious **EvilTokens** operation. This sophisticated toolkit offers threat actors an extensive suite of capabilities to compromise **Microsoft 365** accounts, bypass multi-factor authentication, and automate business email compromise (BEC) campaigns.
Cybersecurity researchers at **Cisco Talos** have unveiled **ARToken**, a new phishing-as-a-service (PhaaS) platform exhibiting deep ties to the previously documented **EvilTokens** operation. Discovered during an incident response engagement, **ARToken** provides a comprehensive and advanced toolkit for threat actors targeting **Microsoft 365** environments.
### A Glimpse into the **ARToken Panel**
**Talos** researchers uncovered a React-based management panel, dubbed the "**ARToken Panel**," which exposed over 80 API endpoints. Reverse engineering the client-side JavaScript code revealed an array of previously undocumented capabilities, extending far beyond the typical features found in conventional phishing platforms.
### Advanced Compromise Capabilities
**ARToken** empowers attackers with sophisticated functionalities, including:
* Stealing **Microsoft 365** authentication tokens.
* Establishing persistent access using Primary Refresh Tokens (**PRTs**).
* Accessing **Outlook** mailboxes, **SharePoint** sites, and **OneDrive** files.
* Deploying phishing infrastructure via **Cloudflare Workers**.
* Automating various aspects of business email compromise (BEC) operations.
### Strong Ties to **EvilTokens**
Multiple technical similarities strongly suggest **ARToken**'s affiliation with the **EvilTokens** platform, which gained notoriety earlier this year for its innovative approach to device code phishing. **Talos**' report highlights shared API calls for **Microsoft**'s device code authentication flow, including an identical `POST /api/device/start` request previously associated with **EvilTokens** attacks.
Furthermore, **ARToken** utilizes the same **PRT** API endpoints documented in **Sekoia**'s **EvilTokens** research, covering setup, refreshing, renewing, and reacquiring **PRTs** even after expiration. The platform also employs a similar **Cloudflare Workers** deployment model and operates as a multi-tenant phishing service, allowing affiliates to manage their campaigns through dedicated workspaces.
### The Rise of Device Code Phishing
**EvilTokens**, and by extension **ARToken**, heavily leverage the **Microsoft** OAuth 2.0 Device Authorization Grant authentication workflow, a technique known as device code phishing. This method tricks victims into entering a legitimate **Microsoft**-issued device code on **Microsoft**'s official login page. Crucially, this process causes **Microsoft** to issue authentication tokens directly to the attacker, bypassing multi-factor authentication (MFA) protections as the victim authenticates through legitimate **Microsoft** infrastructure.

**Sekoia** first detailed the **EvilTokens** platform in March, describing it as a commercial phishing service offered for a $1,500 setup fee and a $500 monthly subscription. A follow-up report from **Sekoia** revealed an AI-driven workflow that ingests harvested mailboxes to score financial exposure and then uses AI and Large Language Models (LLMs) to draft and translate BEC campaigns.
**Microsoft** later issued a warning about the platform as device code phishing attacks surged, with many threat actors adopting the technique due to its high success rate against **Microsoft 365** users. The integration of AI to automate fraud is a key differentiator for **EvilTokens** and its affiliates.
### Deeper Dive into **ARToken** Affiliate Functionality
**Talos**' report offers a comprehensive overview of the functionalities available to **EvilTokens** affiliates via **ARToken** post-compromise:
* **Token Management**: Operators can refresh stolen tokens and elevate access to persistent **PRTs**.
* **BEC Tools**: Full **Outlook** mailbox access, the ability to send emails as compromised users, creation of inbox rules for forwarding or hiding messages, simultaneous monitoring of multiple mailboxes for keywords, and downloading email attachments.
* **Data Exfiltration**: Browsing, uploading, downloading, and managing files in victims' **SharePoint** sites and **OneDrive** accounts for data theft or malware delivery.
**ARToken** also unveiled features not previously identified in **EvilTokens** research:
* Monitoring multiple hijacked mailboxes for specific keywords simultaneously.
* Loading tokens stolen from other sources.
* Sharing access to compromised accounts.
* Stealthily setting up inbox rules to hide or delete messages, covering tracks.
* Phishing pages that automatically update content based on the victim's location.

*Source: Cisco Talos*
Analysis of **ARToken**-associated phishing emails reveals attackers impersonating legitimate vendors in invoice-themed lures targeting accounts payable employees. These emails cunningly display what appears to be a legitimate **SharePoint** address, but actually direct victims to a look-alike tenant hosted within the attacker's **Microsoft 365** workspace.
In April, **Push Security** reported a staggering 37-fold surge in device code phishing attacks over the past year, with at least 11 phishing kits now offering this potent technique to cybercriminals. The emergence of platforms like **ARToken** underscores the evolving sophistication of phishing operations and the critical need for robust defense strategies against modern **Microsoft 365** threats.