ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365
Talos has identified "ARToken," a phishing-as-a-service platform that targets Microsoft 365. The ARToken panel exposes 80+ API endpoints for device code phishing, Primary Refresh Token persistence, email access, BEC operations, and SharePoint exfiltration.
AI Analysis
Technical Summary
Cisco Talos discovered ARToken, a fully-featured phishing-as-a-service platform targeting Microsoft 365, which shares infrastructure, API contracts, and operational models with the EvilTokens platform documented earlier in 2026. ARToken exploits Microsoft's OAuth 2.0 Device Authorization Grant to capture tokens while bypassing MFA. The platform exposes 80+ API endpoints for device code phishing, Primary Refresh Token persistence, email and SharePoint access, and business email compromise workflows, accessible via a React-based dashboard. It employs a sophisticated seven-layer client-side anti-analysis system and XOR-encrypted JavaScript payloads to evade detection. ARToken's affiliate panel enables operators to refresh and escalate tokens, manage compromised mailboxes, create inbox rules, and perform lateral phishing. The platform automates phishing lure deployment through Cloudflare Workers and integrates with Cloudflare's API for infrastructure management. Additional features include cross-account keyword monitoring, token import/export, shared access links, and geo-dynamic lure templates. ARToken represents a mature, subscription-based PhaaS environment facilitating targeted, high-fidelity phishing campaigns with persistent access capabilities.
Potential Impact
The ARToken platform enables attackers to bypass multi-factor authentication by abusing OAuth 2.0 device code flows, capturing and persisting access tokens for Microsoft 365 accounts. This allows unauthorized access to victim email inboxes, the ability to send emails as the victim, create inbox rules to hide malicious activity, and access SharePoint and OneDrive files. The platform supports business email compromise operations and lateral phishing, increasing the risk of financial fraud and data exfiltration. Persistent token access survives password resets, complicating remediation. The service's automation and multi-tenant model facilitate scalable, targeted phishing campaigns against organizations using Microsoft 365.
Mitigation Recommendations
No official patch or fix applies as this is a phishing-as-a-service platform abusing legitimate OAuth flows rather than a software vulnerability. Organizations should rely on Microsoft’s security controls and guidance for detecting and mitigating OAuth abuse and device code phishing. Users should be trained to recognize sophisticated phishing lures, especially those abusing vendor relationships and legitimate SharePoint URLs. Monitoring for suspicious token activity and enforcing conditional access policies that limit OAuth token scopes and lifetimes can help reduce risk. Since this is an external threat platform, remediation focuses on detection and response rather than patching. Check vendor advisories from Microsoft for updated mitigation recommendations regarding OAuth device code phishing attacks.
ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365
Description
Talos has identified "ARToken," a phishing-as-a-service platform that targets Microsoft 365. The ARToken panel exposes 80+ API endpoints for device code phishing, Primary Refresh Token persistence, email access, BEC operations, and SharePoint exfiltration.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Cisco Talos discovered ARToken, a fully-featured phishing-as-a-service platform targeting Microsoft 365, which shares infrastructure, API contracts, and operational models with the EvilTokens platform documented earlier in 2026. ARToken exploits Microsoft's OAuth 2.0 Device Authorization Grant to capture tokens while bypassing MFA. The platform exposes 80+ API endpoints for device code phishing, Primary Refresh Token persistence, email and SharePoint access, and business email compromise workflows, accessible via a React-based dashboard. It employs a sophisticated seven-layer client-side anti-analysis system and XOR-encrypted JavaScript payloads to evade detection. ARToken's affiliate panel enables operators to refresh and escalate tokens, manage compromised mailboxes, create inbox rules, and perform lateral phishing. The platform automates phishing lure deployment through Cloudflare Workers and integrates with Cloudflare's API for infrastructure management. Additional features include cross-account keyword monitoring, token import/export, shared access links, and geo-dynamic lure templates. ARToken represents a mature, subscription-based PhaaS environment facilitating targeted, high-fidelity phishing campaigns with persistent access capabilities.
Potential Impact
The ARToken platform enables attackers to bypass multi-factor authentication by abusing OAuth 2.0 device code flows, capturing and persisting access tokens for Microsoft 365 accounts. This allows unauthorized access to victim email inboxes, the ability to send emails as the victim, create inbox rules to hide malicious activity, and access SharePoint and OneDrive files. The platform supports business email compromise operations and lateral phishing, increasing the risk of financial fraud and data exfiltration. Persistent token access survives password resets, complicating remediation. The service's automation and multi-tenant model facilitate scalable, targeted phishing campaigns against organizations using Microsoft 365.
Mitigation Recommendations
No official patch or fix applies as this is a phishing-as-a-service platform abusing legitimate OAuth flows rather than a software vulnerability. Organizations should rely on Microsoft’s security controls and guidance for detecting and mitigating OAuth abuse and device code phishing. Users should be trained to recognize sophisticated phishing lures, especially those abusing vendor relationships and legitimate SharePoint URLs. Monitoring for suspicious token activity and enforcing conditional access policies that limit OAuth token scopes and lifetimes can help reduce risk. Since this is an external threat platform, remediation focuses on detection and response rather than patching. Check vendor advisories from Microsoft for updated mitigation recommendations regarding OAuth device code phishing attacks.
Technical Details
- Article Source
- {"url":"https://blog.talosintelligence.com/artoken-inside-an-eviltokens-affiliate-panel-targeting-microsoft-365/","fetched":true,"fetchedAt":"2026-07-01T10:14:45.214Z","wordCount":1689}
Threat ID: 6a44e89527e9c79719527afc
Added to database: 07/01/2026, 10:14:45 UTC
Last enriched: 07/01/2026, 10:14:53 UTC
Last updated: 07/02/2026, 03:23:46 UTC
Views: 55
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.