ARToken PhaaS Exposes EvilTokens Microsoft 365 Phishing Toolkit
What happened
A new phishing-as-a-service platform called ARToken appears to operate as an affiliate of the EvilTokens phishing platform, exposing a broader toolkit for compromising Microsoft 365 accounts.
Cisco Talos researchers discovered ARToken while investigating phishing infrastructure during an incident response engagement. They identified a React-based management panel called ARToken Panel that exposed more than 80 API endpoints.
Reverse engineering of the client-side JavaScript revealed capabilities that go beyond a typical phishing platform. ARToken allows attackers to steal Microsoft 365 authentication tokens, establish persistent access using Primary Refresh Tokens, access Outlook mailboxes, browse SharePoint and OneDrive files, deploy phishing infrastructure through Cloudflare Workers, and automate business email compromise activity.
Researchers found multiple technical similarities between ARToken and EvilTokens. The ARToken phishing kit uses the same API calls for Microsoft’s device code authentication flow, including the same device-start request previously associated with EvilTokens attacks.
Talos also found the same Primary Refresh Token endpoints documented in earlier EvilTokens research. These endpoints support setting up, refreshing, renewing, and reacquiring Primary Refresh Tokens, including after expiration.
EvilTokens focuses heavily on Microsoft OAuth device code phishing. In this technique, victims are tricked into entering a legitimate Microsoft-issued device code on Microsoft’s official device login page. Once the victim authenticates, Microsoft issues authentication tokens to the attacker rather than the victim.
Because the victim authenticates through legitimate Microsoft infrastructure, device code phishing can bypass multi-factor authentication protections.
Sekoia previously described EvilTokens as a commercial phishing service sold to cybercriminals for a $1,500 setup fee and a $500 monthly subscription.
ARToken’s exposed panel showed how affiliates can operate after account compromise. The platform supports full Outlook mailbox access, sending emails as compromised users, creating inbox rules to forward or hide messages, monitoring multiple mailboxes for keywords, downloading attachments, and managing SharePoint or OneDrive files.
It also includes features for loading tokens stolen from other sources, sharing access to compromised accounts, and updating phishing page content based on the victim’s location.
Talos also analyzed phishing emails tied to the platform. The emails impersonated legitimate vendors with invoice-themed lures aimed at accounts payable employees. Instead of linking to an obviously malicious site, the emails displayed what appeared to be a legitimate SharePoint address while redirecting victims to a lookalike tenant hosted in the attacker’s Microsoft 365 workspace.
Who is affected
Microsoft 365 organizations are affected if users are targeted by ARToken, EvilTokens, or similar device code phishing campaigns.
Accounts payable employees are especially exposed because the phishing emails observed by Talos used vendor impersonation and invoice-themed lures.
Organizations relying on MFA alone may still be at risk because device code phishing can abuse legitimate Microsoft authentication flows and result in tokens being issued to attackers.
Compromised accounts can expose Outlook mailboxes, SharePoint sites, OneDrive files, attachments, and internal conversations. They can also be used to send additional phishing emails or conduct business email compromise operations.
Why CISOs should care
ARToken shows how mature Microsoft 365 phishing kits have become. These platforms are no longer limited to stealing passwords. They support token theft, persistent access, mailbox monitoring, inbox rule manipulation, file access, and business email compromise workflows.
For CISOs, device code phishing is especially important because it undermines the assumption that MFA alone will stop account compromise. The victim may complete authentication through a real Microsoft page, but the session tokens are delivered to the attacker.
The Primary Refresh Token functionality also raises the persistence risk. If attackers can refresh and reacquire tokens, they may maintain access even after the initial phishing event unless sessions are revoked and token activity is investigated.
The BEC automation features add business risk. Once attackers can monitor mailboxes for financial keywords, send emails as compromised users, hide messages, and access attachments, they can move from account takeover to invoice fraud, payment diversion, and internal data theft.
3 practical actions
Restrict and monitor device code authentication: ARToken and EvilTokens abuse Microsoft’s device code authentication flow. CISOs should review whether device code flow is needed, restrict it where possible, and alert on unusual device code sign-ins, token issuance, and unfamiliar client activity.
Revoke sessions after suspected Microsoft 365 phishing: Password resets alone may not be enough if attackers obtained tokens or Primary Refresh Tokens. Security teams should revoke active sessions, invalidate refresh tokens, review OAuth activity, and check for suspicious mailbox access.
Hunt for BEC persistence inside compromised mailboxes: ARToken supports inbox rules, mailbox keyword monitoring, attachment downloads, and sending emails as victims. Defenders should review hidden or forwarding inbox rules, unusual sent mail, SharePoint and OneDrive access, mailbox search activity, and suspicious vendor invoice threads.
Read more about recent malware campaigns using different attack methods, from abused web platforms and banking trojans to SEO-poisoned software sites:


