Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. ARToken PhaaS Exposes EvilTokens' Microsoft 365 Phishing Toolkit with AI-Powered BEC
ARToken PhaaS Exposes EvilTokens' Microsoft 365 Phishing Toolkit with AI-Powered BEC
NEWS

ARToken PhaaS Exposes EvilTokens' Microsoft 365 Phishing Toolkit with AI-Powered BEC

Cisco Talos has uncovered ARToken, a Phishing-as-a-Service platform affiliated with EvilTokens that weaponizes Microsoft's OAuth device code flow to...

Dylan H.

News Desk

July 4, 2026
4 min read

ARToken: A New PhaaS Platform Targeting Microsoft 365

Cisco Talos researchers have uncovered ARToken, a newly emerged Phishing-as-a-Service (PhaaS) platform that operates as an affiliate of the EvilTokens phishing ecosystem, first documented by Sekoia in March 2026. The platform is notable for its industrialized approach to device code phishing — a technique that completely bypasses multi-factor authentication — and for incorporating AI-driven tools to automate Business Email Compromise (BEC) campaigns at scale.

Talos discovered the ARToken infrastructure while investigating phishing activity and identified a React-based management panel — the "ARToken Panel" — exposing over 80 API endpoints. Technical analysis confirmed deep ties to EvilTokens: identical API calls implementing Microsoft's device code authentication flow, matching Primary Refresh Token (PRT) endpoints, and a shared Cloudflare Workers deployment architecture.

Device Code Phishing: MFA Bypass by Design

The attack technique at ARToken's core exploits Microsoft's legitimate OAuth 2.0 Device Authorization Grant flow, which was designed to allow authentication on devices without browsers (smart TVs, printers, etc.). The abuse works as follows:

  1. The attacker initiates an authentication request and receives a device code from Microsoft
  2. The victim receives a phishing email impersonating a legitimate vendor, directing them to enter the code on Microsoft's own login page (microsoft.com/devicelogin)
  3. Because the victim interacts only with legitimate Microsoft infrastructure, no suspicious domain is visited
  4. The attacker receives valid OAuth tokens in the background — completely bypassing MFA

The technique is devastatingly effective because it leverages user trust in Microsoft's own domains and exploits the legitimacy of the authentication flow itself.

Push Security reported a 37-fold surge in device code phishing attacks over the past year as of April 2026. At least 11 phishing kits now offer this capability as a commodity feature, and ARToken is among the most sophisticated implementations.

Post-Compromise Capabilities

Once tokens are harvested, the ARToken platform enables operators to execute a broad set of persistent access and data exfiltration actions:

CapabilityDescription
Token TheftSteal and refresh Microsoft 365 OAuth tokens
PRT PersistenceEstablish persistence via Primary Refresh Tokens
Mailbox AccessRead Outlook, SharePoint, OneDrive
Inbox Rule ManipulationHide or forward messages from the victim
Financial Keyword MonitoringFlag emails mentioning invoices, payments, wire transfers
Attachment ExfiltrationDownload files from OneDrive and SharePoint
ImpersonationSend emails as the compromised user

The platform's AI-powered BEC module takes this further: it scores the financial exposure of harvested mailboxes, drafts targeted BEC campaigns based on discovered email threads, and translates stolen emails for operators who don't share the victim's language — dramatically lowering the operational burden for non-native English speakers targeting US or UK organizations.

Phishing Lures and Tenant Impersonation

ARToken's phishing lures impersonate legitimate vendors with invoice-themed emails targeting accounts payable staff — the exact personnel with authority to authorize financial transfers. A particularly sophisticated deception is employed at the domain level: the emails display what appears to be a legitimate SharePoint URL, while redirecting victims to a convincing look-alike tenant hosted within the attacker's own Microsoft 365 workspace.

This approach — operating within Microsoft's own infrastructure — makes URL-based detection and email gateway blocking significantly less reliable, as the malicious link may resolve to a *.sharepoint.com or *.onmicrosoft.com subdomain under attacker control.

Pricing and Ecosystem

EvilTokens is priced at a $1,500 setup fee plus $500/month, with ARToken functioning as an affiliate layer on top of that ecosystem. The tiered affiliate model is common in mature PhaaS ecosystems and enables rapid scaling of attack volume without central coordination.

Microsoft issued warnings about device code phishing activity in April 2026 as attack volumes surged, and has since implemented additional friction in the device code flow — but the technique remains viable for unpatched or misconfigured tenants.

Defensive Recommendations

Microsoft 365 administrators can significantly reduce exposure to device code phishing with the following controls:

  • Disable Device Code Flow via Conditional Access — Block the OAuth device code grant in Conditional Access policies unless explicitly required for specific device types
  • Enable Continuous Access Evaluation (CAE) — Limits token lifetimes and enables real-time revocation
  • Deploy phishing-resistant MFA — FIDO2/passkeys are immune to this attack vector; TOTP and SMS are not
  • Monitor for anomalous OAuth token activity — Unusual token issuance patterns, especially from new applications, warrant investigation
  • Educate accounts payable staff — The primary targets are finance personnel who may not recognize device code phishing lures as suspicious

References

  • BleepingComputer: ARToken PhaaS exposes EvilTokens' Microsoft 365 phishing toolkit
  • Cisco Talos Research — ARToken Campaign Analysis, July 2026
  • Sekoia Threat Intelligence — EvilTokens PhaaS, March 2026
  • Microsoft Security Blog — Device Code Phishing Surge Warning, April 2026
#Phishing#Microsoft#BleepingComputer#General#MFA Bypass#Business Email Compromise

Related Articles

Tycoon2FA Hijacks Microsoft 365 Accounts via Device-Code

The Tycoon2FA phishing-as-a-service platform has added device-code phishing to its arsenal and abuses Trustifi click-tracking URLs to bypass Microsoft 365...

5 min read

Microsoft to Roll Out Entra Passkeys on Windows in Late

Microsoft is rolling out passkey support for phishing-resistant passwordless authentication to Microsoft Entra-protected resources from Windows devices...

5 min read

Europol-Coordinated Action Dismantles Tycoon2FA — 330

An international coalition led by Europol and Microsoft has taken down Tycoon2FA, a phishing-as-a-service platform responsible for 87.5 million phishing...

7 min read
Back to all News