ARToken PhaaS exposes EvilTokens’ Microsoft 365 phishing toolkit

ARToken PhaaS exposes EvilTokens’ Microsoft 365 phishing toolkit
Cisco Talos uncovered ARToken, a phishing-as-a-service platform that appears to be affiliated with EvilTokens and is built to steal Microsoft 365 tokens and maintain persistent access. The kit supports device code phishing, Primary Refresh Token abuse, and full business email compromise operations against Outlook, SharePoint, and OneDrive accounts. #ARToken #EvilTokens #Microsoft365 #PrimaryRefreshToken #CloudflareWorkers

Keypoints

  • Cisco Talos discovered the ARToken phishing platform during an incident response investigation.
  • ARToken exposes more than 80 API endpoints through a React-based management panel.
  • The platform steals Microsoft 365 authentication tokens and uses Primary Refresh Tokens for persistence.
  • It supports device code phishing, Outlook mailbox access, and SharePoint and OneDrive file theft.
  • Researchers found strong technical links between ARToken and the EvilTokens phishing service.

Read More: https://www.bleepingcomputer.com/news/security/artoken-phaas-exposes-eviltokens-microsoft-365-phishing-toolkit/