Cisco Talos has published a detailed analysis of a phishing-as-a-service (PhaaS) operator panel called ARToken, identifying it as an affiliate offering closely tied to the EvilTokens platform previously documented by Sekoia and Microsoft in early 2026. The panel exposes more than 80 API endpoints covering device code phishing, Primary Refresh Token (PRT) persistence, email access, business email compromise (BEC) operations, and SharePoint data exfiltration, all surfaced through a React-based dashboard.
EvilTokens Background
In March 2026, Sekoia published a two-part analysis of EvilTokens, a PhaaS platform that abuses Microsoft’s OAuth 2.0 Device Authorization Grant (RFC 8628) to capture authentication tokens while bypassing multi-factor authentication entirely. Microsoft confirmed the campaign’s scale in April 2026, noting AI-powered personalized lures, higher success rates than prior device code attacks, and automated device registration for persistent post-compromise access. By that point, Sekoia had catalogued approximately 500 Cloudflare Workers domains and more than 1,000 phishing pages operating under the EvilTokens umbrella. The platform is sold at $1,500 one-time plus $500 per month, with a standalone browser component available for $500 lifetime.
How ARToken Links to EvilTokens
Talos identified the ARToken management panel at dashboard-bl.pamconj[.]com, serving a 1.7MB compiled JavaScript single-page application (SPA). Because SPA architecture exposes all client-side code regardless of authentication state, no credentials were required to analyze the full API surface. The associated C2 operates at spx.pamconj[.]com, with phishing lures deployed through Cloudflare Workers.
The technical ties to EvilTokens are specific and consistent across multiple indicators:
- Identical API contract: ARToken’s phishing kit issues
POST /api/device/startwith a JSON body containinguserId,clientMode: "broker",login_hint, andredirect_url, receiving backdevice_code,user_code,verification_uri, andexpires_inin a format matching EvilTokens exactly as documented by Sekoia. - Shared broker semantics: The
clientMode: "broker"parameter instructs the backend to use Microsoft’s Authentication Broker (WAM) flow for PRT acquisition. This is not a standard OAuth parameter; it is specific to EvilTokens’ persistent token capture implementation. - Matching deployment model: Both platforms use Cloudflare Workers with UUID-prefixed subdomains to host phishing lures.
ARToken also introduces a seven-layer anti-analysis system combining client-side behavioral verification with XOR-encrypted payloads, a more sophisticated evasion approach than the server-side token mechanism described in prior EvilTokens research.
The Lure in Practice: Vendor-Impersonation Invoice Fraud
Talos recovered two near-identical phishing messages sent roughly four minutes apart on April 20, 2026. The messages spoof an accounts-payable contact at a legitimate Wisconsin contractor, addressed to an accounts-payable recipient at a U.S. life-sciences company, exploiting a real vendor relationship rather than inventing a sender identity. The lure presents an outstanding-invoice query designed to prompt action from finance staff.
Several technical features distinguish the campaign:
- The
Fromheader presents the vendor’s real domain, whileReply-Toredirects responses to an attacker-controlled domain. - All three email authentication checks fail: SPF, DKIM (body-hash mismatch), and DMARC.
- Each message carries short random hex strings and an inline signature image, consistent with per-message mutation intended to evade exact-match content filtering.
- The visible anchor text displays the vendor’s genuine SharePoint tenant URL, but the underlying href resolves to a look-alike tenant under an attacker-controlled Microsoft 365 workspace. Because the destination is still a legitimate
sharepoint.comhost, it inherits SharePoint’s clean sender reputation.
Post-Compromise Capabilities
EvilTokens’ second-stage pipeline, which ARToken affiliates can access, includes an AI-augmented BEC workflow. The platform chains Groq-hosted Llama models for financial exposure scoring with GPT-4o-mini for email translation, generating three tailored BEC scenarios per compromised mailbox. Targets identified in prior reporting include finance professionals, HR staff, and logistics personnel across multiple global regions.
Security teams should treat any device code authentication prompts arriving without a direct user-initiated login as suspicious, enforce Conditional Access policies that restrict device code flows where not operationally necessary, and monitor for anomalous PRT issuance or new device registrations in Azure AD logs.
