EvilTokens’ Microsoft 365 Phishing Toolkit Exposed via ARToken PhaaS

www.news4hackers.com-eviltokens-microsoft-365-phishing-toolkit-exposed-via-artoken-phaas-eviltokens-microsoft-365-phishing-toolkit-exposed-via-artoken-phaas

ARToken PhaaS exposes EvilTokens’ Microsoft 365 phishing toolkit A newly identified phishing-as-a-service (PhaaS) platform named “ARToken” has been linked to the EvilTokens phishing operation, revealing a sophisticated toolkit designed to exploit Microsoft 365 environments.

Discovery of ARToken PhaaS

Researchers from Cisco Talos uncovered the platform during an investigation into phishing infrastructure associated with a specific incident response case. The discovery included a React-based administrative interface called the “ARToken Panel,” which exposed over 80 API endpoints.

Technical Analysis of ARToken

Analysis of the client-side JavaScript code uncovered advanced functionalities beyond typical phishing tools. The platform enables threat actors to extract Microsoft 365 authentication tokens, establish persistent access via Primary Refresh Tokens (PRTs), and gain unauthorized access to Outlook mailboxes, SharePoint repositories, and OneDrive storage.

Infrastructure and Automation

It also incorporates mechanisms to deploy phishing infrastructure through Cloudflare Workers and automate elements of business compromise (BEC) operations. Talos researchers noted significant technical overlaps between ARToken and EvilTokens, including identical API calls for Microsoft’s device code authentication flow.

Connection to EvilTokens

Specifically, the `POST /api/device/start` request, previously tied to EvilTokens attacks, was found in ARToken’s codebase. Further analysis revealed that ARToken utilizes the same PRT management endpoints documented in Sekoia’s research on EvilTokens, including processes for initializing, renewing, and reacquiring PRTs even after expiration.

Phishing Techniques and Bypassing MFA

The platform employs a multi-tenant architecture, allowing affiliates to manage campaigns through isolated workspaces. This model mirrors EvilTokens’ approach, which leverages Microsoft’s OAuth 2.0 Device Authorization Grant protocol to compromise accounts. Victims are deceived into entering a legitimate device code on Microsoft’s official login page, resulting in authentication tokens being issued directly to attackers rather than the user.

Bypassing Multi-Factor Authentication

This method bypasses multi-factor authentication protections by exploiting Microsoft’s trusted infrastructure. EvilTokens, first reported by Sekoia in March, operates as a commercial phishing service with a $1,500 setup fee and a $500 monthly subscription.

EvilTokens’ AI-Driven Workflow

A subsequent report by Sekoia highlighted an AI-driven workflow that analyzes harvested mailboxes to assess financial risk and generates BEC campaigns using artificial intelligence and large language models (LLMs). Microsoft issued warnings about the platform as device code phishing attacks surged, with multiple threat groups adopting the technique due to its effectiveness against Microsoft 365 users.

ARToken’s Enhanced Capabilities

ARToken expands on EvilTokens’ capabilities by introducing features such as simultaneous monitoring of hijacked mailboxes for specific keywords, integration of tokens from external sources, and shared access to compromised accounts. Attackers can also configure inbox rules to conceal or delete messages, reducing detection risks.

Phishing Email Tactics

The platform’s phishing emails impersonate legitimate vendors, using invoice-themed lures targeting accounts payable departments. These emails display seemingly valid SharePoint URLs but redirect victims to cloned Microsoft 365 workspaces hosted by attackers.

Additional Functionalities and Threat Landscape

Talos identified additional functionalities in ARToken, including location-based content updates on phishing pages and tools for automating BEC operations. Push Security reported a 37-fold increase in device code phishing attacks over the past year, with at least 11 phishing kits now offering this method to cybercriminals.

Mitigation Strategies for Organizations

For organizations seeking to mitigate risks from advanced Microsoft 365 phishing attacks, security teams must prioritize proactive measures. Research indicates that 54% of successful breaches go undetected, with only 14% triggering alerts. Solutions such as breach and attack simulation tools can validate detection capabilities and strengthen defenses against evolving threats.


Blog Image

About Author

en_USEnglish