ARToken: A New PhaaS Platform Targeting Microsoft 365
Cisco Talos researchers have uncovered ARToken, a newly emerged Phishing-as-a-Service (PhaaS) platform that operates as an affiliate of the EvilTokens phishing ecosystem, first documented by Sekoia in March 2026. The platform is notable for its industrialized approach to device code phishing — a technique that completely bypasses multi-factor authentication — and for incorporating AI-driven tools to automate Business Email Compromise (BEC) campaigns at scale.
Talos discovered the ARToken infrastructure while investigating phishing activity and identified a React-based management panel — the "ARToken Panel" — exposing over 80 API endpoints. Technical analysis confirmed deep ties to EvilTokens: identical API calls implementing Microsoft's device code authentication flow, matching Primary Refresh Token (PRT) endpoints, and a shared Cloudflare Workers deployment architecture.
Device Code Phishing: MFA Bypass by Design
The attack technique at ARToken's core exploits Microsoft's legitimate OAuth 2.0 Device Authorization Grant flow, which was designed to allow authentication on devices without browsers (smart TVs, printers, etc.). The abuse works as follows:
- The attacker initiates an authentication request and receives a device code from Microsoft
- The victim receives a phishing email impersonating a legitimate vendor, directing them to enter the code on Microsoft's own login page (
microsoft.com/devicelogin) - Because the victim interacts only with legitimate Microsoft infrastructure, no suspicious domain is visited
- The attacker receives valid OAuth tokens in the background — completely bypassing MFA
The technique is devastatingly effective because it leverages user trust in Microsoft's own domains and exploits the legitimacy of the authentication flow itself.
Push Security reported a 37-fold surge in device code phishing attacks over the past year as of April 2026. At least 11 phishing kits now offer this capability as a commodity feature, and ARToken is among the most sophisticated implementations.
Post-Compromise Capabilities
Once tokens are harvested, the ARToken platform enables operators to execute a broad set of persistent access and data exfiltration actions:
| Capability | Description |
|---|---|
| Token Theft | Steal and refresh Microsoft 365 OAuth tokens |
| PRT Persistence | Establish persistence via Primary Refresh Tokens |
| Mailbox Access | Read Outlook, SharePoint, OneDrive |
| Inbox Rule Manipulation | Hide or forward messages from the victim |
| Financial Keyword Monitoring | Flag emails mentioning invoices, payments, wire transfers |
| Attachment Exfiltration | Download files from OneDrive and SharePoint |
| Impersonation | Send emails as the compromised user |
The platform's AI-powered BEC module takes this further: it scores the financial exposure of harvested mailboxes, drafts targeted BEC campaigns based on discovered email threads, and translates stolen emails for operators who don't share the victim's language — dramatically lowering the operational burden for non-native English speakers targeting US or UK organizations.
Phishing Lures and Tenant Impersonation
ARToken's phishing lures impersonate legitimate vendors with invoice-themed emails targeting accounts payable staff — the exact personnel with authority to authorize financial transfers. A particularly sophisticated deception is employed at the domain level: the emails display what appears to be a legitimate SharePoint URL, while redirecting victims to a convincing look-alike tenant hosted within the attacker's own Microsoft 365 workspace.
This approach — operating within Microsoft's own infrastructure — makes URL-based detection and email gateway blocking significantly less reliable, as the malicious link may resolve to a *.sharepoint.com or *.onmicrosoft.com subdomain under attacker control.
Pricing and Ecosystem
EvilTokens is priced at a $1,500 setup fee plus $500/month, with ARToken functioning as an affiliate layer on top of that ecosystem. The tiered affiliate model is common in mature PhaaS ecosystems and enables rapid scaling of attack volume without central coordination.
Microsoft issued warnings about device code phishing activity in April 2026 as attack volumes surged, and has since implemented additional friction in the device code flow — but the technique remains viable for unpatched or misconfigured tenants.
Defensive Recommendations
Microsoft 365 administrators can significantly reduce exposure to device code phishing with the following controls:
- Disable Device Code Flow via Conditional Access — Block the OAuth device code grant in Conditional Access policies unless explicitly required for specific device types
- Enable Continuous Access Evaluation (CAE) — Limits token lifetimes and enables real-time revocation
- Deploy phishing-resistant MFA — FIDO2/passkeys are immune to this attack vector; TOTP and SMS are not
- Monitor for anomalous OAuth token activity — Unusual token issuance patterns, especially from new applications, warrant investigation
- Educate accounts payable staff — The primary targets are finance personnel who may not recognize device code phishing lures as suspicious
References
- BleepingComputer: ARToken PhaaS exposes EvilTokens' Microsoft 365 phishing toolkit
- Cisco Talos Research — ARToken Campaign Analysis, July 2026
- Sekoia Threat Intelligence — EvilTokens PhaaS, March 2026
- Microsoft Security Blog — Device Code Phishing Surge Warning, April 2026