logo

ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365

ID: 2bcfee78-b079-5181-93d1-8a22278fb154

STIX ID: report--2bcfee78-b079-5181-93d1-8a22278fb154

Feed Name: Cisco Talos

Threat Score
78/100

Date Published: 2026-07-01

Date Updated: 2026-07-02

Author: Michael Kelley

...
...

Cisco Talos details ARToken, a fully-featured phishing-as-a-service platform tied to EvilTokens that uses Microsoft OAuth device-code phishing to capture access and Primary Refresh Tokens, deploys lures via Cloudflare Workers, employs a sophisticated seven-layer client-side anti-analysis stack, and provides affiliates with BEC, SharePoint/OneDrive exfiltration, token management, and session browsing capabilities; the report includes API and SPA analysis, IOCs, and MITRE ATT&CK mappings.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.