"Since March 15, 2026, we have observed 10 to 15 distinct campaigns launching every 24 hours," Microsoft VP of security research Tanmay Ganacharya told El Reg in April, a cadence that underlines how rapidly device-code phishing operations have scaled.
How the lure reached a victim inbox on April 20, 2026
Cisco Talos incident responders recovered two near‑identical messages sent roughly four minutes apart on April 20, 2026, that initiated a targeted chain. The emails abused a real vendor relationship between a US life‑sciences company and a legitimate plumbing and fire‑protection contractor. The messages used an outstanding‑invoice bait — literally telling the recipient that "the following invoices appear to still be outstanding" — and presented the contractor’s real domain in the From header.
Several techniques kept the messages looking authentic: the visible anchor text in the email body displayed what appeared to be the vendor’s genuine SharePoint tenant, while the actual href pointed to a near‑identical copycat tenant in an attacker‑controlled Microsoft 365 workspace. Because the destination remained a legitimate sharepoint.com host, Talos said, the link was less likely to be flagged as malicious. The Reply‑To header, however, redirected responses to an unrelated domain under attacker control.
ARToken: a phishing‑as‑a‑service operator linked to EvilTokens
Talos identified a phishing‑as‑a‑service (PhaaS) operator panel branded "ARToken" that appears to be a customer of the EvilTokens platform. According to Talos security research engineer Michael Kelley, ARToken shares infrastructure, API contracts, and operational patterns with EvilTokens — the device‑code phishing kit first documented by French firm Sekoia in March 2026 and linked by Microsoft to daily compromises of hundreds of organizations in April.
Talos recovered an API contract from ARToken that is identical to the one Sekoia originally documented, and found matching deployment and operational models between the two. Those connections place ARToken squarely in the same ecosystem as EvilTokens rather than being a distinct, one‑off tool.
More sophisticated evasion and anti‑analysis techniques
In its investigation, Talos uncovered "notably more sophisticated" anti‑analysis and evasion capabilities in the ARToken infrastructure than earlier public analyses had shown. Those capabilities, while not exhaustively enumerated in the recovered panel data reported by Talos, are presented as enhancements that make detection and pattern‑based defenses more challenging — a concern that amplifies Microsoft’s earlier observation about varied and unique payloads.
Built‑in post‑exploitation and a full BEC toolkit
ARToken’s panel exposed a comprehensive post‑exploitation toolkit, Talos found. The toolkit provides token management and persistence mechanisms alongside a built‑in business email compromise (BEC) suite with the following capabilities: full Microsoft Outlook inbox read access; the ability to send email as the victim; creation of inbox rules to forward or delete messages; and keyword‑based monitoring across all compromised accounts.
Michael Kelley summarized the platform’s posture bluntly: "These features indicate the platform is more mature than a simple device code phishing kit - it is a complete BEC operations environment." That characterization elevates the toolset from an initial access vector into an operational environment for post‑compromise activity.
What this means for technologists, affected enterprises, and end users
- Technologists and security teams should watch for attacker behavior that preserves legitimate hosting (for example, sharepoint.com destinations) while routing control through attacker‑controlled Microsoft 365 workspaces, and for API contracts that mirror previously documented EvilTokens patterns.
- Affected enterprises and procurement leaders need to account for attacks that exploit genuine vendor relationships; the ARToken lure specifically used an existing vendor relationship between a US life‑sciences company and a plumbing and fire‑protection contractor.
- End users must be aware that visible link text and sender domains can be deceptive — a real vendor’s domain may appear in the From header while Reply‑To and href targets lead to attacker‑controlled resources.
Talos’ recovery of the ARToken panel, its ties to EvilTokens, and the April 20 message samples deepen a record that began with Sekoia’s March documentation and Microsoft’s April warning about widespread device‑code phishing. The tools and tradecraft Talos describes show device‑code phishing evolving from a means of bypassing multifactor controls into a full operational environment for BEC campaigns — a shift that changes what defenders must detect and what victims may unknowingly surrender.




