Full Report
Talos has identified "ARToken," a phishing-as-a-service platform that targets Microsoft 365. The ARToken panel exposes 80+ API endpoints for device code phishing, Primary Refresh Token persistence, email access, BEC operations, and SharePoint exfiltration.
Analysis Summary
# Tool/Technique: ARToken (EvilTokens Affiliate Panel)
## Overview
ARToken is a sophisticated Phishing-as-a-Service (PhaaS) platform and management panel designed to target Microsoft 365 environments. It leverages the OAuth 2.0 Device Authorization Grant (device code flow) to bypass multi-factor authentication (MFA) and capture session tokens. It functions as a complete Business Email Compromise (BEC) operations environment, allowing attackers to manage hijacked sessions, automate data exfiltration, and perform AI-augmented social engineering.
## Technical Details
- **Type**: Phishing-as-a-Service (PhaaS) / Post-Compromise Management Panel
- **Platform**: Microsoft 365 (SaaS), Windows (ARTBrowser)
- **Capabilities**: Device code phishing, MFA bypass, PRT persistence, automated BEC, SharePoint exfiltration, and anti-analysis evasion.
- **First Seen**: July 2026 (Documented connection to EvilTokens infrastructure active since early 2026).
## MITRE ATT&CK Mapping
- **Resource Development**
- T1583.006 - Acquire Infrastructure: Web Services
- **Initial Access**
- T1566.002 - Phishing: Spearphishing Link
- **Persistence**
- T1098.001 - Account Manipulation: Additional Cloud Credentials
- **Credential Access**
- T1528 - Steal Application Access Token
- **Lateral Movement**
- T1550.001 - Use Alternate Authentication Material: Application Access Token
- **Collection**
- T1114.002 - Email Collection: Remote Email Collection
- **Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1497.001 - Virtualization/Sandbox Evasion: System Checks
- **Impact**
- T1531 - Account Access Removal
## Functionality
### Core Capabilities
- **Bypass MFA**: Uses device code phishing to trick users into authorizing attacker-controlled devices, capturing Primary Refresh Tokens (PRT) and access tokens.
- **Phishing Infrastructure Management**: Integrates with Cloudflare Workers API to deploy and manage phishing templates and domains automatically.
- **Session Management**: A React-based dashboard allows operators to view, sort, and interact with captured victim tokens in real-time.
- **SharePoint Exfiltration**: Programmatic access to resolve sites, list files, and download/upload data from compromised tenants.
### Advanced Features
- **AI-Augmented BEC**: Chaining LLMs (Llama, GPT-4o-mini) to score financial exposure and generate three tailored BEC scenarios per mailbox.
- **Anti-Analysis System**: A seven-layer evasion system using client-side behavioral verification and XOR-encrypted payloads.
- **Box Monitor**: Keyword-based monitoring across all compromised accounts to identify high-value communications (e.g., invoices, wire transfers).
- **ARTBrowser**: A standalone Windows application for browsing M365 sessions using hijacked tokens outside of a standard web browser.
- **Geo-Dynamic Templates**: Phishing lures that automatically resolve localized placeholders like city and country based on the victim's IP address.
## Indicators of Compromise
- **File Names**: `pumber.png` (Inline signature image used in lures), `ARTBrowser.exe` (Desktop session tool).
- **Network Indicators**:
- `dashboard-bl.pamconj[.]com` (Management Panel)
- `spx.pamconj[.]com` (C2 API)
- `clear90489058903-document.workers[.]dev` (Phishing Lure Host)
- `mononapfpcom.sharepoint[.]com` (Look-alike SharePoint Tenant)
- **Behavioral Indicators**:
- Unexplained OAuth device registrations in Microsoft Entra ID.
- Creation of inbox rules to forward or hide emails (evidence suppression).
- Rapid, automated access to SharePoint files from non-standard IP ranges (Cloudflare/VPN).
## Associated Threat Actors
- **EvilTokens Affiliates**: While specific group names are often undisclosed, users of the platform target finance, HR, and logistics sectors globally.
## Detection Methods
- **Behavioral Detection**: Monitor for unusual `User-Agent` strings associated with the "Portal Browser" and identify logins originating from Microsoft's device code flow (`/deviceauth`) from unexpected locations.
- **Log Analysis**: Audit Entra ID (Azure AD) sign-in logs for "Success" events where the authentication method is "Device Code" followed immediately by high-volume API activity.
- **Content Scanning**: Detect look-alike SharePoint domains (e.g., `[brand]com.sharepoint.com`) and "Reply-To" mismatches in incoming vendor communications.
## Mitigation Strategies
- **Technical Restrictions**: Disable the Device Code Flow in Microsoft 365 if not strictly required for operations.
- **Conditional Access**: Implement strict Conditional Access policies requiring Compliant or Hybrid-Joined devices for sensitive resource access.
- **Email Security**: Enable DMARC enforcement (p=reject) and use security solutions capable of detecting URL-path mismatches (Link vs. Anchor text).
- **User Training**: Educate staff on the specific mechanics of device code phishing—emphasizing that they should never enter a code into a Microsoft portal that they did not personally initiate.
## Related Tools/Techniques
- **EvilTokens**: The parent PhaaS platform.
- **Adversary-in-the-Middle (AiTM)**: Related phishing methodology that proxies traffic to bypass MFA.
- **Storm-1575**: A known set of activity related to PhaaS and token theft.