Cisco Talos uncovered ARToken, a phishing-as-a-service platform that appears to be affiliated with EvilTokens and is built to steal Microsoft 365 tokens and maintain persistent access. The kit supports device code phishing, Primary Refresh Token abuse, and full business email compromise operations against Outlook, SharePoint, and OneDrive accounts. #ARToken #EvilTokens #Microsoft365 #PrimaryRefreshToken #CloudflareWorkers
Keypoints
- Cisco Talos discovered the ARToken phishing platform during an incident response investigation.
- ARToken exposes more than 80 API endpoints through a React-based management panel.
- The platform steals Microsoft 365 authentication tokens and uses Primary Refresh Tokens for persistence.
- It supports device code phishing, Outlook mailbox access, and SharePoint and OneDrive file theft.
- Researchers found strong technical links between ARToken and the EvilTokens phishing service.