EvilTokens-Linked ARToken Panel Exposes 80+ APIs for Microsoft 365 Token Theft
ID: 8fdd077f-b380-5798-998c-3fd2d8351991
STIX ID: report--8fdd077f-b380-5798-998c-3fd2d8351991
Feed Name: GBHackers
Cisco Talos identified a phishing-as-a-service platform called ARToken that mirrors and expands the EvilTokens ecosystem: a React SPA exposing 80+ API endpoints for device-code phishing, PRT persistence (bypassing MFA and surviving password resets), mailbox takeover, BEC tooling, and SharePoint/OneDrive exfiltration, with lures hosted via Cloudflare Workers and a Windows companion browser. The report documents infrastructure (e.g., spx.pamconj.com), client-side anti-analysis, payload obfuscation, operational lures, and defensive recommendations.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
