EXECUTIVE SUMMARY:
A newly identified phishing-as-a-service (PhaaS) panel known as ARToken has emerged as part of the broader EvilTokens ecosystem, targeting Microsoft 365 environments through device-code phishing. The panel is designed to bypass multi-factor authentication by abusing Microsofts OAuth Device Authorization flow, enabling attackers to capture authentication tokens without directly stealing credentials. The campaign primarily relies on invoice-themed phishing lures impersonating legitimate vendors, increasing trust and improving victim interaction rates. Its structure suggests a mature affiliate-driven model built for scalable business email compromise (BEC) and cloud account abuse, supported through a centralized phishing panel that orchestrates and automates end-to-end attack operations.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A newly identified phishing-as-a-service (PhaaS) panel known as ARToken has emerged as part of the broader EvilTokens ecosystem, targeting Microsoft 365 environments through device-code phishing. The panel is designed to bypass multi-factor authentication by abusing Microsofts OAuth Device Authorization flow, enabling attackers to capture authentication tokens without directly stealing credentials. The campaign primarily relies on invoice-themed phishing lures impersonating legitimate vendors, increasing trust and improving victim interaction rates. Its structure suggests a mature affiliate-driven model built for scalable business email compromise (BEC) and cloud account abuse, supported through a centralized phishing panel that orchestrates and automates end-to-end attack operations.[emaillocker id="1283"]
The attack chain typically begins with highly targeted phishing emails impersonating legitimate vendors, often themed around invoice processing or payment-related communications. Victims are directed to lookalike SharePoint-hosted URLs that redirect them into a fraudulent device authentication flow. Once engaged, the phishing kit initiates a device authorization request and displays a valid Microsoft device code, prompting the user to authenticate on the official Microsoft device login portal. Upon successful authentication, the attacker receives valid access and refresh tokens. ARToken further enhances persistence by escalating these tokens into Primary Refresh Tokens (PRTs), enabling continued access even after credential resets. The platform also integrates anti-analysis techniques such as behavioral checks, browser fingerprinting, timing validation, and encrypted payload delivery to evade automated security scanners. Beyond credential theft, the panel offers capabilities for email monitoring, inbox rule manipulation, SharePoint and OneDrive file exfiltration, and business email compromise operations.
ARToken represents an advanced evolution of phishing infrastructure by combining legitimate authentication abuse with persistent access mechanisms and full-scale BEC tooling. Its operational maturity, anti-analysis protections, and extensive post-compromise functionality make it a significant to organizations heavily reliant on Microsoft 365 services. Defenders should strengthen monitoring of device code authentication flows, enforce conditional access controls, review suspicious token activity, and educate users on identifying deceptive authorization requests to reduce exposure to such token-based phishing campaigns.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Resource Development | T1583.006 | Acquire Infrastructure | Web Services |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Persistence | T1098.001 | Account Manipulation | Additional Cloud Credentials |
| Stealth | T1027.002 | Obfuscated Files or Information | Software Packing |
| T1497.001 | Virtualization/Sandbox Evasion | System Checks | |
| Credential Access | T1528 | Steal Application Access Token | - |
| Lateral Movement | T1550.001 | Use Alternate Authentication Material | Application Access Token |
| Collection | T1114.002 | Email Collection | Remote Email Collection |
| Impact | T1531 | Account Access Removal | - |
REFERENCES:
The following reports contain further technical details:
[/emaillocker]