“These features indicate the platform is more mature than a simple device code phishing kit — it is a complete BEC operations environment,” wrote Michael Kelley, security research engineer at Cisco Talos.
Cisco Talos uncovers an operator panel called ARToken
Cisco Talos researchers disclosed an operator panel they named ARToken, describing it as an affiliate of the EvilTokens phishing-as-a-service operation. Talos said ARToken shares infrastructure and other components with EvilTokens, a campaign built to bypass multi‑factor authentication and compromise Microsoft 365 accounts.
How ARToken differs from previously reported kits
According to the Talos writeup reported by CyberScoop, ARToken includes capabilities that go beyond what companies such as Sekoia and Microsoft had publicly described about EvilTokens. Notably, ARToken offers inbox rule manipulation and shared access links — features that, in Talos’s assessment, expand the toolkit into an operational environment for business email compromise (BEC) rather than a narrowly scoped device‑code phishing kit.
EvilTokens’ rapid growth and AI assistance
CyberScoop cited Talos reporting that EvilTokens has seen a sharp increase in activity: a 1,380% rise in phishing attacks early this year compared with the same period last year. Talos linked that surge in part to integration of artificial intelligence into the phishing workflow.
Evasion, targeting and an example lure
Talos described ARToken as having a seven‑layer anti‑analysis system designed to frustrate investigators and automated analysis. The research also detailed the kind of targeted lures ARToken operators use. One example spoofs an accounts‑payable contact at a legitimate Wisconsin contractor and addresses an accounts‑payable recipient at a U.S. life sciences company — “abusing a real vendor relationship rather than inventing a sender,” Kelley wrote.
The lure theme in that sample was an outstanding‑invoice inquiry, the sort of message accounts‑payable staff are trained to act on; Talos reproduced the lure text as: “the following invoices appear to still be outstanding… advise when this will be processed.” Kelley emphasized the targeting element, contrasting these messages with scattershot phishing campaigns.
What this means for technologists, the public sector, and accounts‑payable teams
- Technologists and security teams should note the operational features Talos observed — inbox rule manipulation and shared access links — which can extend an attacker’s foothold beyond initial credential capture.
- The public sector has already been observed as a target; Talos told CyberScoop that “we’ve seen the public sector targeted but it’s unlikely to be the only one,” signaling broader exposure potential.
- Accounts‑payable and procurement teams at affected enterprises face lures that deliberately mimic real vendor relationships and use invoice‑processing language — a social engineering posture designed to prompt quick payment action.
Cisco Talos’ findings position ARToken as more than a simple phishing kit: the combination of affiliate infrastructure with EvilTokens, explicit features for post‑compromise manipulation, an anti‑analysis stack, and AI‑assisted growth in EvilTokens activity together indicate a maturation of BEC tooling. Talos also cautioned that it does not yet have a full sense of the breadth of ARToken’s activity or who exactly is using the platform, leaving open the key questions of scale and attribution. For defenders and organizations that process payments, those unanswered elements will determine how immediate and widespread the risk becomes.
Original reporting: https://cyberscoop.com/artoken-bec-platform-cisco-talos/




