ARToken: A New PhaaS Armoring EvilTokens’ Microsoft 365 Toolkit

TL;DR Summary
Cisco Talos flags ARToken as a new phishing-as-a-service platform allied with EvilTokens, offering a wide toolkit to steal Microsoft 365 tokens, maintain persistence with Primary Refresh Tokens, and access Outlook, SharePoint, and OneDrive. It uses Cloudflare Workers for deployment, supports multi-tenant campaigns, and includes inbox rules, keyword monitoring, and data exfiltration tools. The kit mirrors EvilTokens’ device-code phishing flow to bypass MFA, with research suggesting a shared ecosystem and AI-enabled workflows that automate BEC-style fraud. Security teams should prioritize behavioral AI defenses and robust email security controls.
Topics:technology#artoken#device-code-phishing#eviltokens#microsoft-365#phishing-as-a-service#security
Reading Insights
Total Reads
1
Unique Readers
4
Time Saved
5 min
vs 6 min read
Condensed
92%
1,077 → 87 words
Want the full story? Read the original article
Read on BleepingComputer