216.73.217.172

Inside an affiliate panel targeting Microsoft 365

· Published 01/07/2026 13:58

Export JSON

Essential information

Published
01/07/2026 13:58
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
artoken business email compromise device code phishing eviltokens microsoft 365 oauth abuse phishing-as-a-service primary refresh token
Related entities
3 vulnerabilities (cve), 2 indicators, 2 observables, 20 techniques (mitre), 2 malware

Description

Cisco Talos discovered ARToken, a sophisticated panel sharing infrastructure and operational patterns with the platform. The panel exposes over 80 API endpoints enabling , Primary Refresh Token persistence, email access, operations, and SharePoint exfiltration through a React-based dashboard. The platform deploys a seven-layer anti-analysis system combining client-side behavioral verification with XOR-encrypted payloads. ARToken abuses Microsoft's OAuth 2.0 Device Authorization Grant to bypass multi-factor authentication entirely. Analysis reveals post-compromise capabilities including token management across password resets, automated BEC operations, inbox rule manipulation for evidence suppression, cross-account keyword monitoring, and SharePoint file operations. The platform operates as multi-tenant infrastructure with subscription-based affiliate access, representing a complete operations environment rather than simple phish...

External references