logo

EvilTokens-Linked ARToken Panel Exposes 80+ APIs for Microsoft 365 Token Theft

ID: 8fdd077f-b380-5798-998c-3fd2d8351991

STIX ID: report--8fdd077f-b380-5798-998c-3fd2d8351991

Feed Name: GBHackers

Threat Score
78/100

Date Published: 2026-07-02

Date Updated: 2026-07-02

Author: Mayura Kathir

...
...

Cisco Talos identified a phishing-as-a-service platform called ARToken that mirrors and expands the EvilTokens ecosystem: a React SPA exposing 80+ API endpoints for device-code phishing, PRT persistence (bypassing MFA and surviving password resets), mailbox takeover, BEC tooling, and SharePoint/OneDrive exfiltration, with lures hosted via Cloudflare Workers and a Windows companion browser. The report documents infrastructure (e.g., spx.pamconj.com), client-side anti-analysis, payload obfuscation, operational lures, and defensive recommendations.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.