ARToken PhaaS exposes EvilTokens' Microsoft 365 phishing toolkit
AI Generated Image

ARToken PhaaS exposes EvilTokens' Microsoft 365 phishing toolkit

BleepingComputer technology

Key Points:

  • Cisco Talos researchers uncovered a new phishing-as-a-service platform called "ARToken," linked to the EvilTokens phishing operation, which targets Microsoft 365 accounts by stealing authentication tokens and enabling persistent access.
  • ARToken offers advanced features including token refresh and elevation, mailbox and file access across Outlook, SharePoint, and OneDrive, automated business email compromise (BEC) tools, and deployment of phishing infrastructure via Cloudflare Workers.
  • The platform exploits Microsoft's OAuth 2.0 Device Authorization Grant workflow through device code phishing, tricking victims into providing device codes that grant attackers authentication tokens, effectively bypassing multi-factor authentication.
  • ARToken shares multiple technical similarities with EvilTokens, such as API endpoints and deployment models, and incorporates AI-driven automation to streamline fraud, including drafting BEC campaigns and analyzing financial exposure from harvested mailboxes.
  • With device code phishing attacks surging dramatically, security experts recommend using behavioral AI to detect and respond to these sophisticated threats, as traditional email security measures often fail to catch them.

Trending Business

Trending Technology

Trending Health