talos · Crawled Jul 5, 2026
ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365
4 IoCs
Read original article ↗
AI Summary
Cisco Talos identified ARToken, a phishing-as-a-service (PhaaS) platform affiliated with the EvilTokens infrastructure, targeting Microsoft 365 users via sophisticated device code phishing. The platform offers affiliates a comprehensive toolkit for token theft, persistence via Primary Refresh Tokens (PRT), business email compromise (BEC), and SharePoint/OneDrive exfiltration. ARToken leverages advanced anti-analysis techniques including client-side behavioral verification and XOR-encrypted payloads to evade detection, while operating through Cloudflare Workers and a React-based dashboard for management.
AI-extracted · verify before operational use