Cisco Talos Exposes ARToken Microsoft 365 Phishing Kit | eSecurity Planet

Cisco Talos Exposes ARToken Microsoft 365 Phishing Kit

Cisco Talos uncovered ARToken, a Microsoft 365 phishing platform built for persistent access and BEC attacks.

Written By
Ken Underhill
Ken Underhill
Jul 1, 2026
3 minute read
eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Cisco Talos uncovered the ARToken phishing-as-a-service (PhaaS) platform, which appears closely linked to the EvilTokens ecosystem previously documented by Sekoia and Microsoft. 

The research suggests ARToken provides affiliates with a complete platform for compromising Microsoft 365 accounts, maintaining persistence, and launching BEC attacks. 

These findings highlight how cybercriminal platforms continue to mature by combining phishing automation, persistence mechanisms, and post-compromise tooling into a single service.

Key Takeaways

  • Cisco Talos identified ARToken, a phishing-as-a-service (PhaaS) platform closely linked to the EvilTokens ecosystem targeting Microsoft 365 users.
  • ARToken abuses Microsoft’s OAuth device code authentication flow to capture authentication tokens, bypass MFA protections, and enable persistent account access.
  • The platform combines phishing, advanced anti-analysis techniques, token persistence, and business email compromise (BEC) capabilities within a single affiliate platform.
  • Attackers use legitimate-looking SharePoint links, vendor impersonation, and trusted Microsoft infrastructure to increase the likelihood of successful phishing attacks. 

How ARToken Builds on EvilTokens Device Code Phishing 

According to researchers, ARToken shares API structures, deployment methods, and OAuth 2.0 Device Authorization workflows with EvilTokens

Device code phishing abuses Microsoft’s legitimate login portal to capture authentication tokens rather than passwords. 

Researchers linked the platforms through identical API contracts, similar Cloudflare Workers deployments, Primary Refresh Token (PRT) workflows, and multi-tenant affiliate management. 

Together, these similarities suggest ARToken operates as part of — or is closely aligned with — the broader EvilTokens ecosystem.

How ARToken Uses Microsoft 365 Phishing Lures 

The researchers also analyzed phishing emails associated with the campaign that impersonated legitimate vendor invoice communications targeting accounts-payable personnel.

Rather than relying on mass phishing, the emails abused existing business relationships to increase credibility. 

Although the links appeared to point to legitimate SharePoint sites, they redirected victims to attacker-controlled Microsoft 365 environments hosted on SharePoint. 

Researchers also observed failed SPF, DKIM, and DMARC validation, reply-to address manipulation, and subtle message variations designed to evade traditional email detection.

Advertisement

ARToken’s Advanced Anti-Analysis and Evasion Techniques 

One notable aspect of ARToken is its extensive anti-analysis framework.

Cisco Talos documented a seven-layer behavioral verification process that attempts to distinguish legitimate users from automated analysis environments. 

The platform checks browser characteristics, automation indicators, user interaction patterns, screen dimensions, elapsed browsing time, and mouse movement behavior before delivering the phishing payload.

The phishing code itself is encrypted using XOR encryption and decrypted within the browser during execution, adding another layer of protection against automated security analysis and URL scanning tools.

These capabilities represent a more sophisticated client-side evasion approach than previously documented in public EvilTokens research.

ARToken Enables Business Email Compromise Operations 

Beyond credential theft, ARToken provides affiliates with an extensive collection of post-compromise capabilities.

Researchers found functionality supporting:

  • Primary Refresh Token persistence for long-term account access
  • Outlook mailbox reading and email sending
  • SharePoint and OneDrive file management
  • Inbox rule creation for forwarding or hiding messages
  • Bulk token management and sharing
  • Cloudflare Worker deployment automation
  • Cross-account keyword monitoring
  • Role-based collaboration between operators

The platform also includes a Windows-based browser that enables attackers to interact with compromised Microsoft 365 sessions using captured authentication tokens.

Several of these capabilities — including token importing, collaborative token sharing, geo-aware phishing templates, and advanced SharePoint operations — extend beyond functionality previously documented in public reporting on EvilTokens.

Advertisement

How to Defend Against ARToken and Microsoft 365 Phishing 

The continued evolution of device code phishing demonstrates that organizations cannot rely solely on multi-factor authentication to protect Microsoft 365 accounts. 

Because victims authenticate through Microsoft’s legitimate login process, traditional credential-based defenses may not detect the attack.

Organizations can reduce risk by:

  • Restricting or monitoring OAuth device code authentication where appropriate.
  • Continuously monitoring token issuance, device registrations, and unusual authentication activity.
  • Reviewing inbox forwarding rules and other persistence mechanisms for unauthorized changes.
  • Monitoring SharePoint and OneDrive activity for abnormal downloads or permission modifications.
  • Training employees to verify invoice requests, carefully inspect embedded SharePoint links, and to use secondary communication methods to validate any requests.

Bottom Line

Cisco Talos’ analysis illustrates how phishing-as-a-service platforms continue evolving into comprehensive attack ecosystems rather than just standalone phishing kits. 

ARToken combines sophisticated phishing infrastructure, advanced anti-analysis techniques, persistent Microsoft 365 access, and built-in business email compromise tooling within a single affiliate platform.

As phishing platforms like ARToken become more sophisticated and persistent, adopting zero trust solutions can help organizations continuously verify users, limit unauthorized access, and reduce the blast radius of compromised identities.

Ken Underhill

Ken Underhill is an award-winning cybersecurity professional, bestselling author, and seasoned IT professional. He holds a graduate degree in cybersecurity and information assurance from Western Governors University and brings years of hands-on experience to the field.

eSecurity Planet Logo

eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.