Inside an affiliate panel targeting Microsoft 365
Essential information
- Published
- 01/07/2026 13:58
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- artoken business email compromise device code phishing eviltokens microsoft 365 oauth abuse phishing-as-a-service primary refresh token
- Related entities
- 3 vulnerabilities (cve), 2 indicators, 2 observables, 20 techniques (mitre), 2 malware
Description
Cisco Talos discovered ARToken, a sophisticated phishing-as-a-service panel sharing infrastructure and operational patterns with the EvilTokens platform. The panel exposes over 80 API endpoints enabling device code phishing, Primary Refresh Token persistence, email access, business email compromise operations, and SharePoint exfiltration through a React-based dashboard. The platform deploys a seven-layer anti-analysis system combining client-side behavioral verification with XOR-encrypted payloads. ARToken abuses Microsoft's OAuth 2.0 Device Authorization Grant to bypass multi-factor authentication entirely. Analysis reveals post-compromise capabilities including token management across password resets, automated BEC operations, inbox rule manipulation for evidence suppression, cross-account keyword monitoring, and SharePoint file operations. The platform operates as multi-tenant infrastructure with subscription-based affiliate access, representing a complete operations environment rather than simple phish...