"ARToken Panel" exposed more than 80 API endpoints, according to Cisco Talos researchers who reverse-engineered the client-side code and uncovered a phishing platform that reaches far beyond traditional credential-harvesting pages.
Cisco Talos discovery of ARToken
Cisco Talos identified the ARToken phishing-as-a-service (PhaaS) platform while investigating phishing infrastructure during an incident response engagement. The researchers found a React-based management interface labeled "ARToken Panel" and, through reverse engineering of client-side JavaScript, uncovered more than 80 API endpoints and previously undocumented capabilities that extend beyond ordinary phishing kits.
ARToken's Microsoft 365 token and mailbox capabilities
ARToken is built to steal Microsoft 365 authentication tokens and then use those tokens to perform a broad range of post-compromise actions. Talos found the platform enables attackers to:
- steal and refresh authentication tokens, including elevating to persistent Primary Refresh Tokens (PRTs);
- access Outlook mailboxes with full read and send privileges, create inbox rules to forward or hide messages, monitor multiple mailboxes for keywords simultaneously, and download attachments;
- browse, upload, download, and manage files in SharePoint sites and OneDrive accounts; and
- load tokens stolen from other sources and share access to compromised accounts across actors.
These capabilities allow attackers not only to exfiltrate data but to maintain persistent access and to automate business email compromise (BEC) operations from within victims' Microsoft 365 environments.
Device code phishing, Primary Refresh Tokens, and MFA bypass
The platform leverages the Microsoft OAuth 2.0 Device Authorization Grant workflow — a device code phishing technique previously associated with the EvilTokens family. In device code phishing, victims are induced to enter a legitimate Microsoft-issued device code on Microsoft's official device login page; because the user authenticates through Microsoft's infrastructure, tokens are issued to the attacker and multi-factor authentication protections can be bypassed.
Talos noted ARToken uses the same API calls seen in earlier EvilTokens activity, including an identical POST /api/device/start request used for Microsoft's device code flow. The researchers also identified the same PRT-related endpoints that Sekoia documented for EvilTokens, covering setup, refreshing, renewing, and reacquiring Primary Refresh Tokens even after expiry. ARToken’s workflow therefore supports both short-lived token harvesting and escalation to long-lived PRT access.
EvilTokens links, AI automation, and distribution model
Talos highlighted multiple technical similarities between ARToken and the EvilTokens phishing platform discovered earlier this year. Those similarities include the device code API calls, PRT endpoints, a shared Cloudflare Workers deployment model, and a multi-tenant affiliate service architecture in which individual affiliates manage campaigns through dedicated workspaces.
Prior research from Sekoia showed EvilTokens operates as a commercial service—Sekoia reported a $1,500 setup fee and a $500 monthly subscription—and includes AI-driven workflows that ingest harvested mailboxes to score financial exposure, draft BEC campaigns with AI and large language models, and translate stolen emails for multilingual operators. Talos’ findings confirm that affiliates supporting ARToken-style operations have access to automation that can take mailbox harvests through scoring, message-generation, and campaign deployment.
Operational tradecraft seen in phishing lures and infrastructure
Talos analyzed phishing emails associated with the platform and found targeted invoice-themed lures aimed at accounts payable employees. Attackers impersonated legitimate vendors and used messages that display what appears to be an authentic SharePoint address while actually directing victims to a look-alike tenant hosted inside the attacker's Microsoft 365 workspace. The platform also includes tooling to deploy phishing infrastructure via Cloudflare Workers and phishing pages that can automatically update content based on a victim's location.
What this means for security teams, procurement leaders, and accounts payable employees
- Security teams and technologists: ARToken’s combination of token theft, PRT escalation, mailbox monitoring, and tenant-level look-alike hosting shows defenders must contend with automated, post-compromise workflows rather than one-off credential grabs. The story points organizations toward detection approaches that surface compromised tokens, persistent PRT activity, and covert inbox rules; BleepingComputer is hosting a webinar with Abnormal that will explore how behavioral AI can help automate detection, investigation, and remediation for these attack patterns.
- Procurement and risk leaders: The research reiterates that device code phishing is now offered as a commercial service—with published setup and subscription pricing in Sekoia’s reporting—meaning the technique scales via a criminal market. Procurement and vendor-risk teams should note the threat model includes multi-tenant affiliate platforms and Cloudflare Workers deployment models referenced by Talos.
- Accounts payable and finance staff: Talos found attackers used invoice-themed lures impersonating vendors and directing victims to look-alike Microsoft 365 tenants. Those employees remain high-value targets for device code phishing campaigns that seek to harvest tokens and then perform outbound wire-request or invoice-fraud operations from compromised mailboxes.
ARToken underlines a crucial shift: phishing kits tied to EvilTokens now incorporate full lifecycle automation—token harvesting, refresh and elevation to PRTs, mailbox monitoring and manipulation, and data access across SharePoint and OneDrive—packaged for affiliates to operate at scale. For organizations watching this space, the immediate options cited in the reporting include behavioral AI approaches to detect account takeover behavior and breach-and-attack simulation to test SIEM and EDR detection rules; BleepingComputer and Picus resources mentioned in the source provide starting points for those conversations.




