Full Report
Cisco Talos’ research on ARToken builds on what’s known about the related EvilTokens phishing-as-a-service. The post This phishing kit looks more like BEC-as-a-service appeared first on CyberScoop.
Analysis Summary
# Tool/Technique: ARToken (EvilTokens Affiliate)
## Overview
ARToken is an advanced operator panel and Phishing-as-a-Service (PhaaS) platform specifically designed to facilitate Business Email Compromise (BEC). It functions as a specialized affiliate panel to the **EvilTokens** operation. Its primary purpose is to bypass multi-factor authentication (MFA) via device code phishing and provide a comprehensive environment for managing compromised Microsoft 365 accounts.
## Technical Details
- **Type:** Phishing-as-a-Service (PhaaS) / BEC-as-a-Service Platform
- **Platform:** Microsoft 365 (SaaS Cloud Environment)
- **Capabilities:** MFA Bypass, Session Token Theft, Inbox Manipulation, Anti-Analysis
- **First Seen:** Early 2026 (EvilTokens activity spikes reported early 2026; ARToken research published July 2026)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link]
- **[TA0006 - Credential Access]**
- [T1528 - Steal or Forge Authentication Tokens]
- **[TA0003 - Persistence]**
- [T1137.005 - Office Application Startup: Outlook Rules]
- **[TA0005 - Defense Evasion]**
- [T1562.001 - Impair Defenses: Disable or Modify Tools] (7-layer anti-analysis)
## Functionality
### Core Capabilities
- **AitM/Device Code Phishing:** Abuses legitimate Microsoft device authorization pages to grant persistent access to attacker-controlled applications, bypassing MFA.
- **Session Token Theft:** Captures authentication tokens to maintain persistent access without needing credentials.
- **BEC Operations Environment:** Provides a polished dashboard for attackers to manage stolen sessions and conduct financial fraud.
### Advanced Features
- **Inbox Rule Manipulation:** Capability to create or modify Outlook rules to hide incoming security alerts or divert communications between victims and legitimate vendors.
- **Shared Access Links:** Features that allow multiple actors or automated tools to access the compromised account session.
- **AI Integration:** Utilizes artificial intelligence (via the parent EvilTokens framework) to enhance the effectiveness and volume of phishing lures.
- **7-Layer Anti-Analysis System:** Sophisticated evasive measures designed to prevent security researchers and automated sandboxes from identifying the phishing infrastructure.
## Indicators of Compromise
*Note: Specific file hashes and registry keys were not detailed in the provided article text.*
- **Network Indicators:**
- Legitimate Microsoft device authorization pages (often misused): `microsoft[.]com/devicelogin`
- *Note: Specific C2 domains for the ARToken panel are protected by 7-layer anti-analysis.*
- **Behavioral Indicators:**
- Creation of unauthorized Outlook inbox rules (e.g., "Move to Archive" or "Delete" for specific keywords like "Invoice," "Payment," or "MFA").
- Logins from atypical locations using valid session tokens.
- Unexpected enterprise application registrations within the Microsoft 365 tenant.
## Associated Threat Actors
- **EvilTokens Affiliates:** ARToken is specifically used by affiliates of the broader EvilTokens PhaaS ecosystem.
- **Unknown BEC Actors:** While specific group names (e.g., APTs) are not identified, users are known to target the public sector, life sciences, and construction industries.
## Detection Methods
- **Behavioral detection:** Monitor for "Device Code" flow authentication logs, especially those originating from unusual IP addresses or resulting in the registration of suspicious third-party applications.
- **Inbox Audit Logs:** Track the creation of new inbox rules immediately following a successful login from a new session.
- **MFA Monitoring:** Alert on multiple failed MFA attempts followed by a successful login using a "Device Code" or "Token Refresh" event.
## Mitigation Strategies
- **Hardware Security Keys:** Enforce FIDO2-compliant hardware keys (e.g., YubiKey) which are resistant to the AitM/Session theft techniques used by ARToken.
- **Conditional Access Policies:** Restrict logins to managed devices only or specific geographic regions to invalidate stolen session tokens.
- **User Training:** Educate staff, particularly in Accounts Payable, on the risks of device code authentication (e.g., "Enter this code at microsoft.com/devicelogin").
- **External Sender Tagging:** Visual indicators for emails coming from outside the organization to combat spoofed vendor lures.
## Related Tools/Techniques
- **EvilTokens:** The base PhaaS platform that ARToken leverages for core infrastructure.
- **Kali365:** A similar phishing kit observed abusing Microsoft device authorization pages.
- **Adversary-in-the-Middle (AitM):** The general technique class used to intercept authentication tokens.