A phishing-as-a-service (PhaaS) platform called ARToken has given security researchers an unusually detailed look at the capabilities available to affiliates of the EvilTokens phishing ecosystem, which specializes in compromising Microsoft 365 accounts through device code phishing.
Discovery and Platform Analysis
Cisco Talos researchers encountered ARToken during an incident response engagement. The platform’s management interface, built in React, exposed more than 80 API endpoints. By reverse-engineering the client-side JavaScript, Talos documented capabilities that go well beyond typical phishing kits, including token theft, persistent access establishment, and cloud storage manipulation.
Multiple technical indicators link ARToken to EvilTokens. The kit uses identical API calls for Microsoft’s device code authentication flow, including the same POST /api/device/start request previously attributed to EvilTokens. Researchers also identified matching Primary Refresh Token (PRT) API endpoints documented in earlier Sekoia research, covering PRT setup, refresh, renewal, and reacquisition even after expiry. Both platforms share a Cloudflare Workers deployment model and operate as multi-tenant services where affiliates manage independent campaign workspaces.
How Device Code Phishing Works
EvilTokens centers on abusing Microsoft’s OAuth 2.0 Device Authorization Grant flow. Victims are socially engineered into entering a legitimate Microsoft-issued device code on Microsoft’s official device login page. Because authentication flows through Microsoft’s own infrastructure, the attacker receives valid tokens while MFA protections are effectively bypassed.
Sekoia first documented EvilTokens in March, describing it as a commercial service with a reported $1,500 setup fee and $500 monthly subscription. A subsequent Sekoia report found the platform incorporates an AI-driven workflow that scores compromised mailboxes for financial exposure, then uses large language models to draft BEC lures and translate stolen emails for operators working in different languages.
Post-Compromise Capabilities
Once a victim completes the device code flow, ARToken operators can:
- Refresh stolen tokens and escalate to persistent Primary Refresh Tokens
- Access, search, and send email from compromised Outlook mailboxes
- Create inbox rules that automatically forward, hide, or delete messages to cover tracks
- Monitor multiple hijacked mailboxes simultaneously for specific keywords
- Download email attachments and exfiltrate data from SharePoint and OneDrive
- Upload files to victim cloud storage, enabling potential malware delivery
- Load tokens harvested from external sources and share account access among operators
Talos also noted that ARToken phishing pages dynamically update their content based on the victim’s geographic location, a feature not previously documented in EvilTokens research.
Lure Tactics
Phishing emails analyzed by Talos impersonated legitimate vendors using invoice-themed lures directed at accounts payable staff. The messages displayed what appeared to be a valid SharePoint URL while actually routing victims to a lookalike tenant hosted inside the attacker’s own Microsoft 365 workspace, a detail designed to defeat casual URL inspection.
Broader Context
Push Security reported in April that device code phishing attacks had increased 37-fold over the preceding year, with at least 11 phishing kits now offering the technique. Microsoft has issued warnings about the surge as threat actors broadly adopt device code phishing for its high success rate against MFA-protected accounts.
Organizations defending Microsoft 365 environments should treat device code authentication flows as a high-risk vector, restrict the Device Code Flow via Conditional Access policies where operationally feasible, and monitor for anomalous token issuance and unexpected inbox rule creation.
