Skip to content
Tech News
← Back to articles

ARToken PhaaS exposes EvilTokens' Microsoft 365 phishing toolkit

read original more articles
Why This Matters

The emergence of ARToken as a sophisticated phishing platform tied to EvilTokens highlights the increasing complexity and automation in cyber threats targeting Microsoft 365 users. This development underscores the urgent need for enhanced security measures and user awareness to defend against advanced phishing and business email compromise tactics. For consumers and organizations, understanding these threats is crucial to safeguarding sensitive data and maintaining trust in cloud-based services.

Key Takeaways

A new phishing-as-a-service (PhaaS) platform dubbed "ARToken" appears to operate as an affiliate of the EvilTokens phishing platform, giving researchers a glimpse into an extensive toolkit designed to compromise Microsoft 365.

Cisco Talos researchers discovered the platform while investigating phishing infrastructure used in an incident response engagement and identified a React-based management panel called "ARToken Panel" that exposed more than 80 API endpoints.

Reverse engineering the client-side JavaScript code revealed previously undocumented capabilities that extend well beyond what you would normally find in a phishing platform.

The platform allows attackers to steal Microsoft 365 authentication tokens, establish persistent access using Primary Refresh Tokens (PRTs), and access Outlook mailboxes, SharePoint sites, and OneDrive files. It also includes tools to deploy phishing infrastructure through Cloudflare Workers and automate many aspects of business email compromise (BEC) operations.

According to Talos' report, multiple technical similarities strongly suggest ARToken is tied to the EvilTokens phishing platform discovered earlier this year.

The researchers found the ARToken phishing kit uses the same API calls for Microsoft's device code authentication flow, including an identical `POST /api/device/start` request previously associated with EvilTokens attacks.

Talos also identified the same primary refresh token API endpoints documented in Sekoia's EvilTokens research, including the endpoints for setting up, refreshing, renewing, and reacquiring Primary Refresh Tokens, even after they expire.

The platform also uses a similar Cloudflare Workers deployment model and operates as a multi-tenant phishing service, in which affiliates manage their own campaigns through dedicated workspaces.

EvilTokens focuses heavily on exploiting Microsoft's OAuth 2.0 Device Authorization Grant authentication workflow to breach accounts, a technique known as device code phishing.

Victims are tricked into entering a legitimate Microsoft-issued device code on Microsoft's official device login page, causing Microsoft to issue authentication tokens directly to the attacker instead of the victim. Because the victim authenticates through Microsoft's legitimate infrastructure, the attacks can successfully bypass multi-factor authentication protections.

... continue reading