Cisco Talos uncovered ARToken, an affiliate platform tied to EvilTokens that appears to function as a “business email compromise-as-a-service” environment for phishing Microsoft 365 accounts and bypassing multi-factor authentication. The toolkit adds mature BEC features like inbox rule manipulation, shared access links, and a seven-layer anti-analysis system, with targeted lures abusing real vendor relationships and invoicing themes. #ARToken #EvilTokens #Microsoft365
Keypoints
- Cisco Talos identified ARToken as an affiliate platform linked to EvilTokens.
- ARToken appears to enable business email compromise operations at scale.
- The platform includes inbox rule manipulation and shared access link features.
- ARToken uses a seven-layer anti-analysis system to evade detection.
- The phishing lures impersonate real vendor contacts and target accounts-payable staff.
Read More: https://cyberscoop.com/artoken-bec-platform-cisco-talos/