ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365
ID: 2bcfee78-b079-5181-93d1-8a22278fb154
STIX ID: report--2bcfee78-b079-5181-93d1-8a22278fb154
Feed Name: Cisco Talos
Cisco Talos details ARToken, a fully-featured phishing-as-a-service platform tied to EvilTokens that uses Microsoft OAuth device-code phishing to capture access and Primary Refresh Tokens, deploys lures via Cloudflare Workers, employs a sophisticated seven-layer client-side anti-analysis stack, and provides affiliates with BEC, SharePoint/OneDrive exfiltration, token management, and session browsing capabilities; the report includes API and SPA analysis, IOCs, and MITRE ATT&CK mappings.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
