A brand new phishing-as-a-service (PhaaS) platform known as ‘ARToken’ seems to be working as an affiliate of the EvilTokens phishing platform, giving researchers a glimpse into an intensive toolkit designed to compromise Microsoft 365.
Cisco Talos researchers found the platform whereas investigating phishing infrastructure utilized in incident response operations and recognized a React-based administration panel known as the “ARToken panel” that exposes over 80 API endpoints.
Reverse engineering the client-side JavaScript code revealed beforehand undocumented performance that extends far past what is usually seen in phishing platforms.
This platform permits attackers to steal Microsoft 365 authentication tokens and use main refresh tokens (PRTs) to determine everlasting entry and entry Outlook mailboxes, SharePoint websites, and OneDrive information. It additionally contains instruments to deploy phishing infrastructure and automate many elements of enterprise e-mail compromise (BEC) operations via Cloudflare Staff.
In accordance with Talos’ report, a number of technical similarities strongly recommend that ARToken is said to the EvilTokens phishing platform found earlier this yr.
Researchers found that the ARToken phishing package makes use of the identical API calls as Microsoft’s system code authentication circulate, together with the identical “POST /api/system/begin” requests beforehand related to EvilTokens assaults.
Talos additionally recognized the identical main refresh token API endpoint as documented in Sekoia’s EvilTokens examine. This contains endpoints for organising, refreshing, renewing, and re-obtaining the first refresh token even after it expires.
The platform additionally makes use of an identical Cloudflare Staff deployment mannequin and operates as a multi-tenant phishing service. With this service, associates handle their very own campaigns via a devoted workspace.
EvilTokens focuses on compromising accounts by exploiting Microsoft’s OAuth 2.0 System Authorization Grant authentication workflow, a way often known as system code phishing.
Victims are tricked into getting into a legit Microsoft-issued system code on an official Microsoft system login web page, and Microsoft points an authentication token on to the attacker as an alternative of the sufferer. As a result of the sufferer authenticates via Microsoft’s legit infrastructure, the assault is ready to efficiently bypass multi-factor authentication protections.

Sekoia first documented the EvilTokens platform in March, describing it as a industrial phishing service bought to cybercriminals for a $1,500 setup charge and $500 month-to-month subscription.
In a follow-up report, Sekoia found an AI-driven workflow that ingests collected mailboxes and scores them for monetary threat, makes use of AI and LLM to draft BEC campaigns, and interprets stolen emails for operators working in different languages.
Since then, system code phishing assaults have spiked dramatically, and plenty of attackers have adopted this system on account of its excessive success price in opposition to Microsoft 365 customers, prompting Microsoft to difficulty a warning in regards to the platform.
What units EvilTokens other than different system code phishing kits is that it makes use of AI to automate its fraud.
Throughout the EvilTokens Affiliate Platform
Talos’ report supplies an in depth overview of the options accessible to EvilTokens associates following a profitable account compromise.
As soon as the sufferer completes the system code authentication course of, ARToken permits the operator to refresh the stolen token and elevate entry to a persistent main refresh token (PRT).
Researchers additionally found instruments for finishing up enterprise e-mail compromise assaults, together with full entry to Outlook mailboxes, the flexibility to ship emails as a compromised person, the flexibility to create inbox guidelines to robotically ahead or cover messages, the flexibility to concurrently monitor key phrases in a number of mailboxes, and the flexibility to obtain e-mail attachments.
Attackers also can browse, add, obtain, and handle information saved on victims’ SharePoint websites and OneDrive accounts, permitting them to steal knowledge or ship malware for additional assaults.
ARToken additionally revealed a number of options not recognized in earlier EvilTokens analysis.
Menace actors can concurrently monitor a number of hijacked mailboxes in search of particular key phrases, load tokens stolen from different sources, or share entry to compromised accounts.
They’ll additionally secretly arrange inbox guidelines that cover or delete messages to cover their tracks, or use phishing pages that robotically replace content material primarily based on the sufferer’s location.

Supply: Cisco Talos
Talos additionally analyzed phishing emails associated to the platform and located that attackers impersonated legit distributors with invoice-themed lures concentrating on accounts payable professionals.
Moderately than linking to a website clearly managed by the attacker, the e-mail shows what seems to be a legit SharePoint tackle, however really directs the sufferer to an identical tenant hosted throughout the attacker’s Microsoft 365 workspace.
In April, Push Safety reported that system code phishing assaults have spiked 37x over the previous yr, with not less than 11 phishing kits now providing this system to cybercriminals.
For organizations trying to defend in opposition to the newest Microsoft 365 phishing assaults, enterprise e-mail compromise (BEC), and account takeovers, BleepingComputer is internet hosting a webinar titled “Irregular.” “Cease chasing alerts: Automate your e-mail safety with behavioral AI.”
This webinar explores how attackers use strategies like system code phishing to bypass MFA and compromise accounts, why these assaults bypass conventional e-mail safety controls, and the way behavioral AI may also help safety groups automate the detection, investigation, and remediation of phishing and compromised account exercise.
Safety groups doc 54% of profitable assaults and difficulty a warning on solely 14%. The remaining strikes invisibly via the atmosphere.
Picus’ whitepaper exhibits the way to check your SIEM and EDR guidelines in breach and assault simulations to make sure threats go undetected.
Get the white paper
