ProBackend
active vulnerability exploitation
59 minutes ago7 min read

Inside ARToken: How Artificial Intelligence Powers the Next Generation of EvilTokens Phishing

A new phishing-as-a-service platform called ARToken appears to operate as an affiliate of the EvilTokens toolkit, revealing extensive capabilities for stealing Microsoft 365 tokens, establishing persistent access via Primary Refresh Tokens, and automating business email compromise operations with artificial intelligence.

The ARToken Discovery

Cisco Talos researchers didn't set out to find a new phishing platform. They were deep in an incident response engagement, untangling phishing infrastructure used against a victim organization, when they stumbled onto something that made them sit up straighter. A React-based management panel called "ARToken Panel" was sitting there, exposed and humming along with more than 80 API endpoints.

Reverse engineering the client-side JavaScript revealed capabilities that go well beyond what you'd expect from a typical phishing kit. ARToken can steal Microsoft 365 authentication tokens, establish persistent access through Primary Refresh Tokens (PRTs), and give attackers full control over Outlook mailboxes, SharePoint sites, and OneDrive files. It also deploys phishing infrastructure through Cloudflare Workers and automates a lot of the business email compromise (BEC) workflow that makes these attacks so profitable.

But here's what really caught Talos' attention: the technical fingerprints on ARToken point directly back to EvilTokens, a commercial phishing platform that Sekoia first documented in March 2025. This isn't a competitor. It's an affiliate — or maybe just the next evolution of the same operation.

The ARToken Discovery

Ties to EvilTokens: Same DNA, Different Brand

The connection between ARToken and EvilTokens isn't circumstantial. It's baked into the API calls themselves.

ARToken uses identical requests for Microsoft's OAuth 2.0 Device Authorization Grant workflow — specifically the POST /api/device/start call that EvilTokens was already known to make. The same Primary Refresh Token API endpoints show up too: setup, refresh, renew, and reacquire PRTs even after they've expired. That last one alone is a significant escalation in persistence.

The deployment model matches as well. Both platforms lean on Cloudflare Workers for infrastructure, and both operate as multi-tenant services where affiliates manage their own campaigns through dedicated workspaces. EvilTokens was priced at $1,500 for setup plus $500 a month — not exactly pocket change, but accessible enough to attract serious cybercriminal operators.

Microsoft itself warned about EvilTokens as device code phishing attacks surged, and the technique caught on fast. Push Security reported a 37-fold increase in device code phishing over a single year, with at least 11 different phishing kits now offering the technique. ARToken is just another player in that growing ecosystem, but one with some notable additions.

Ties to EvilTokens: Same DNA, Different Brand

How Device-Code Phishing Actually Works

The core technique here is deceptively simple, which is partly why it works so well. Microsoft's OAuth 2.0 Device Authorization Grant workflow was designed for situations where you need to authenticate on a device without a full keyboard — think smart TVs, media players, command-line tools. The user gets a code, enters it on a login page, and authenticates.

ARToken exploits this flow by tricking victims into entering a legitimate Microsoft-issued device code on what looks like an official Microsoft device login page. The catch? Microsoft issues the authentication tokens directly to the attacker, not the victim. The victim goes through Microsoft's legitimate infrastructure to authenticate, which means multi-factor authentication protections get bypassed entirely. The user thinks they're logging in normally. They are — just not on the side the attacker cares about.

This is why device code phishing has become such a persistent problem. It turns one of Microsoft's convenience features into a backdoor, and because the authentication happens through legitimate channels, traditional security controls struggle to flag it.

The Artificial Intelligence Angle: Automating BEC at Scale

What really sets EvilTokens apart from other device code phishing kits — and what ARToken appears to carry forward — is the integration of artificial intelligence into the post-compromise workflow. Sekoia's follow-up research on EvilTokens uncovered an AI-driven system that ingests harvested mailboxes, scores the financial exposure of each account, and then uses large language models to draft business email compromise campaigns.

That's not just automation. That's a force multiplier. Instead of an operator manually reading through stolen emails to find opportunities for fraud, the platform does the reconnaissance and drafting automatically. And it translates stolen emails for operators working in different languages, which opens up the attack surface across geographies.

This is where artificial intelligence in cybersecurity threats stops being theoretical and starts showing up in actual campaign infrastructure. The AI isn't just a gimmick — it's operationalizing the theft at a scale that would be difficult to achieve manually.

Post-Compromise: What Attackers Can Do After the Hook

Once a victim completes the device code authentication process, ARToken gives operators a surprisingly rich toolkit for exploiting the compromised account.

They can refresh stolen tokens and elevate access to persistent Primary Refresh Tokens, which means even if the initial session expires, they can reacquire it. Full Outlook mailbox access lets them read everything — send emails as the compromised user, create inbox rules that automatically forward or hide messages to cover their tracks, monitor multiple mailboxes simultaneously for keywords like "invoice" or "payment." They can download email attachments without leaving obvious traces.

Beyond email, attackers get full control over SharePoint sites and OneDrive. They can browse files, upload malware for additional attacks, download sensitive documents — essentially treating the victim's cloud storage as their own.

The inbox rule capability is particularly insidious. Set up a rule that quietly moves suspicious messages to a folder the victim will never check, and you've effectively blinded their security monitoring for as long as the rule persists.

New Capabilities Beyond Previous EvilTokens Research

ARToken introduced several features that Talos hadn't seen in earlier EvilTokens documentation, and some of them represent genuine escalations.

The ability to monitor multiple hijacked mailboxes simultaneously for specific keywords is a clear operational improvement — operators can cast a wider net across compromised accounts without switching between workspaces. Loading tokens stolen from other sources into the platform means ARToken can aggregate access from multiple attack vectors, creating a consolidated command post for stolen credentials.

Sharing access to compromised accounts among operators is another significant capability. It turns individual compromises into shared resources, which means a single successful phishing campaign can benefit multiple affiliates.

The phishing pages that auto-update content based on the victim's location are particularly clever from an attacker perspective. Instead of a static look-alike page, the phishing experience adapts in real time — showing region-specific content, local vendor names, or location-appropriate imagery to increase credibility.

And then there's the quiet inbox rule setup that hides or deletes messages. It's a simple technique, but it's devastatingly effective at covering tracks after the initial compromise.

Campaign Tactics: Invoice Lures and Tenant Look-Alikes

Talos analyzed phishing emails associated with ARToken and found a consistent pattern. Attackers impersonate legitimate vendors using invoice-themed lures that target accounts payable employees — a high-value audience because these individuals are trained to act quickly on payment requests.

The emails display what appears to be a legitimate SharePoint address, but they actually direct victims to a look-alike tenant hosted within the attacker's own Microsoft 365 workspace. No link to an obviously attacker-controlled site. Just a URL that looks legitimate because it's hosted on Microsoft infrastructure — just not the victim organization's infrastructure.

This tenant look-alike technique is particularly effective because it leverages Microsoft's own branding and domain structure. The URL might show sharepoint.com or a similar legitimate-looking path, but it's actually resolving to the attacker's workspace. Victims see what looks like a normal SharePoint document and click without hesitation.

The combination of invoice urgency, legitimate-looking infrastructure, and device code authentication creates a attack chain that's hard to defend against with traditional security controls. The victim authenticates through Microsoft, the attacker gets tokens, and by the time anyone notices something's wrong, the operator has already established persistent access.

What This Means for Defenders

The ARToken discovery matters because it confirms that the EvilTokens ecosystem is still active and evolving. The technical ties are clear — same API calls, same PRT endpoints, same deployment model — but the new capabilities suggest the operators are investing in improvement rather than just maintaining the status quo.

The AI-driven BEC automation is particularly concerning from a defensive perspective. When attackers can automatically score financial exposure and draft campaigns in multiple languages, the volume and sophistication of attacks increase in ways that manual operations simply can't match.

Device code phishing itself remains a structural problem. It exploits a legitimate authentication flow, bypasses MFA by design, and produces tokens that look normal to security tools. The 37-fold surge reported by Push Security suggests this isn't slowing down.

For organizations relying on Microsoft 365, the practical takeaway is straightforward: monitor for unusual device code authentication patterns, watch for inbox rules that forward or hide messages without clear business justification, and treat any SharePoint link that doesn't resolve to your known tenant with suspicion — even if the URL looks legitimate.

More blogs