Full Report
It's a 'complete BEC operations environment,' Talos researcher says
Analysis Summary
# Tool/Technique: EvilTokens (via ARToken PhaaS)
## Overview
EvilTokens is a sophisticated device-code phishing-as-a-service (PhaaS) platform. Unlike traditional credential harvesting, it leverages the Microsoft Device Code authentication flow to bypass Multi-Factor Authentication (MFA). Once a victim authorizes the device code, the attacker obtains an OAuth token, granting persistent access to the victim’s Microsoft 365 environment without needing their password.
## Technical Details
- **Type:** Phishing-as-a-Service (PhaaS) / BEC Operations Environment
- **Platform:** Microsoft 365 (SaaS)
- **Capabilities:** MFA Bypass, Token Management, BEC Automation, Anti-Analysis Evasion
- **First Seen:** March 2026 (Documented by Sekoia); Active campaigns observed through July 2026.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566.002 - Phishing: Spearphishing Link (Abusing legitimate SharePoint domains)
- **TA0006 - Credential Access**
- T1528 - Steal Application Access Token
- **TA0003 - Persistence**
- T1136.003 - Create Account: Cloud Account
- **TA0005 - Defense Evasion**
- T1550.001 - Use Alternate Authentication Material: Application Access Token
- T1027 - Obfuscated Files or Information (Sophisticated evasion approach)
- **TA0007 - Discovery**
- T1114.002 - Email Collection: Remote Email Services
- **TA0009 - Collection**
- T1114.003 - Email Collection: Email Forwarding Rule
## Functionality
### Core Capabilities
- **Device-Code Phishing:** Generates legitimate Microsoft device codes and tricks users into entering them at `microsoft[.]com/devicelogin`.
- **MFA Bypass:** Circumvents MFA by obtaining authenticated session tokens directly from the identity provider.
- **Token Management:** A centralized panel (e.g., ARToken) to store, refresh, and use stolen OAuth tokens.
- **Phishing Infrastructure:** Shares API contracts and operational patterns across multiple affiliate panels.
### Advanced Features
- **Integrated BEC Environment:** Built-in tools for Outlook inbox access, allowing attackers to read and send emails as the victim.
- **Automated Monitoring:** Keyword-based monitoring across all compromised accounts to identify high-value targets or sensitive data.
- **Inbox Manipulation:** Automatic creation of inbox rules to forward or delete messages, hiding attacker activity from the victim.
- **Advanced Evasion:** Uses "copycat" SharePoint tenants (legitimate `sharepoint[.]com` hosts) to bypass email security gateways that trust Microsoft domains.
## Indicators of Compromise
- **File Hashes:** *Not specified in the article (Cloud-based PhaaS).*
- **File Names:** *Not specified.*
- **Registry Keys:** *N/A (Cloud-centric attack).*
- **Network Indicators:**
- `microsoft-devicelogin[.]com` (Simulated example of copycat domain)
- `sharepoint[.]com` (Abused legitimate hosting)
- *Note: Specific C2 and panel domains are often rotated every 24 hours per Microsoft research.*
- **Behavioral Indicators:**
- Creation of unexpected Outlook inbox rules (e.g., Move to Deleted Items).
- Logins from unusual locations/IPs via "Sign-in via Device Code" flow.
- Unexpected OAuth application registrations in Entra ID (Azure AD).
## Associated Threat Actors
- **ARToken:** A specific PhaaS operator panel/affiliate.
- **EvilTokens Platform:** The parent infrastructure provider.
## Detection Methods
- **Signature-based detection:** Identify known phishing lure templates and "Reply-To" header mismatches.
- **Behavioral detection:**
- Monitor Entra ID (Azure AD) sign-in logs for `Authentication Method: Device Code`.
- Alert on "Success" status for device code flows from IPs not associated with known corporate locations.
- Audit logs for the `New-InboxRule` cmdlet with actions like `DeleteMessage` or `ForwardTo`.
- **YARA rules:** Scanning for specific HTML/JS fragments used in the ARToken/EvilTokens lure pages.
## Mitigation Strategies
- **Prevention:** Disable the "Device Code Flow" in Microsoft 365 if not explicitly required for legacy/IoT devices.
- **Hardening:** Implement Conditional Access policies that require "Compliant Device" or "Hybrid Azure AD Joined Device" to prevent token usage from unauthorized hardware.
- **User Education:** Train users to never enter codes into the `microsoft.com/devicelogin` page unless they personally initiated a login on a secondary device (e.g., a smart TV).
## Related Tools/Techniques
- **Adversary-in-the-Middle (AiTM):** Similar MFA bypass goal, but uses proxying instead of device code flows.
- **Storm-1283:** A known actor group utilizing similar device-code phishing tactics.
- **SAD Typer:** Another documented phishing kit with similar BEC objectives.