talos · Crawled Jul 5, 2026

ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365

4 IoCs
Read original article ↗

AI Summary

Cisco Talos identified ARToken, a phishing-as-a-service (PhaaS) platform affiliated with the EvilTokens infrastructure, targeting Microsoft 365 users via sophisticated device code phishing. The platform offers affiliates a comprehensive toolkit for token theft, persistence via Primary Refresh Tokens (PRT), business email compromise (BEC), and SharePoint/OneDrive exfiltration. ARToken leverages advanced anti-analysis techniques including client-side behavioral verification and XOR-encrypted payloads to evade detection, while operating through Cloudflare Workers and a React-based dashboard for management.

AI-extracted · verify before operational use

Indicators of Compromise 4 extracted

Type Value Detail
Domain dashboard-bl.pamconj.com Details →
Domain spx.pamconj.com Details →
Domain clear90489058903-document.workers.dev Details →
Domain mononapfpcom.sharepoint.com Details →