Threat Advisory

ARToken Phishing Panel Bypasses Login Approval of SharePoint and Business Email Compromise

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]


EXECUTIVE SUMMARY:

A newly identified phishing-as-a-service (PhaaS) panel known as ARToken has emerged as part of the broader EvilTokens ecosystem, targeting Microsoft 365 environments through device-code phishing. The panel is designed to bypass multi-factor authentication by abusing Microsofts OAuth Device Authorization flow, enabling attackers to capture authentication tokens without directly stealing credentials. The campaign primarily relies on invoice-themed phishing lures impersonating legitimate vendors, increasing trust and improving victim interaction rates. Its structure suggests a mature affiliate-driven model built for scalable business email compromise (BEC) and cloud account abuse, supported through a centralized phishing panel that orchestrates and automates end-to-end attack operations.[/subscribe_to_unlock_form]


EXECUTIVE SUMMARY:

A newly identified phishing-as-a-service (PhaaS) panel known as ARToken has emerged as part of the broader EvilTokens ecosystem, targeting Microsoft 365 environments through device-code phishing. The panel is designed to bypass multi-factor authentication by abusing Microsofts OAuth Device Authorization flow, enabling attackers to capture authentication tokens without directly stealing credentials. The campaign primarily relies on invoice-themed phishing lures impersonating legitimate vendors, increasing trust and improving victim interaction rates. Its structure suggests a mature affiliate-driven model built for scalable business email compromise (BEC) and cloud account abuse, supported through a centralized phishing panel that orchestrates and automates end-to-end attack operations.[emaillocker id="1283"]

The attack chain typically begins with highly targeted phishing emails impersonating legitimate vendors, often themed around invoice processing or payment-related communications. Victims are directed to lookalike SharePoint-hosted URLs that redirect them into a fraudulent device authentication flow. Once engaged, the phishing kit initiates a device authorization request and displays a valid Microsoft device code, prompting the user to authenticate on the official Microsoft device login portal. Upon successful authentication, the attacker receives valid access and refresh tokens. ARToken further enhances persistence by escalating these tokens into Primary Refresh Tokens (PRTs), enabling continued access even after credential resets. The platform also integrates anti-analysis techniques such as behavioral checks, browser fingerprinting, timing validation, and encrypted payload delivery to evade automated security scanners. Beyond credential theft, the panel offers capabilities for email monitoring, inbox rule manipulation, SharePoint and OneDrive file exfiltration, and business email compromise operations.

ARToken represents an advanced evolution of phishing infrastructure by combining legitimate authentication abuse with persistent access mechanisms and full-scale BEC tooling. Its operational maturity, anti-analysis protections, and extensive post-compromise functionality make it a significant to organizations heavily reliant on Microsoft 365 services. Defenders should strengthen monitoring of device code authentication flows, enforce conditional access controls, review suspicious token activity, and educate users on identifying deceptive authorization requests to reduce exposure to such token-based phishing campaigns.

 

THREAT PROFILE:

Tactic Technique Id Technique Sub-technique
Resource Development T1583.006 Acquire Infrastructure Web Services
Initial Access T1566.002 Phishing Spearphishing Link
Persistence T1098.001 Account Manipulation Additional Cloud Credentials
Stealth T1027.002 Obfuscated Files or Information Software Packing
T1497.001 Virtualization/Sandbox Evasion System Checks
Credential Access T1528 Steal Application Access Token -
Lateral Movement T1550.001 Use Alternate Authentication Material Application Access Token
Collection T1114.002 Email Collection Remote Email Collection
Impact T1531 Account Access Removal -

 

REFERENCES:

The following reports contain further technical details:

https://blog.talosintelligence.com/artoken-inside-an-eviltokens-affiliate-panel-targeting-microsoft-365/

[/emaillocker]
crossmenu