HomeTopics 1Application SecurityARToken Exposes a Dangerous New Chapter in Microsoft 365 Phishing as Researchers...

ARToken Exposes a Dangerous New Chapter in Microsoft 365 Phishing as Researchers Uncover a Full-Scale Business Email Compromise Platform

Date:

Related stories

spot_imgspot_imgspot_imgspot_img

Security researchers have uncovered ARToken, an advanced phishing-as-a-service (PhaaS) platform specifically designed to compromise Microsoft 365 environments through device code phishing while providing affiliates with an extensive post-compromise toolkit capable of conducting Business Email Compromise (BEC), persistent account hijacking, SharePoint data theft, and cloud infrastructure abuse.

Unlike traditional phishing kits, ARToken operates more like a commercial Software-as-a-Service platform complete with management dashboards, automation, collaboration features, infrastructure deployment, and lifecycle management for compromised accounts.

The discovery offers organizations a rare look inside the operational infrastructure that modern phishing groups are using today, illustrating just how mature cybercrime-as-a-service has become.

A Platform Built for Persistent Microsoft 365 Compromise

According to research published by Cisco Talos, ARToken shares significant technical similarities with the EvilTokens platform previously documented by security researchers earlier this year.

Rather than relying solely on stolen passwords, the platform abuses Microsoft’s legitimate OAuth 2.0 Device Authorization Grant, commonly referred to as device code authentication.

This authentication mechanism is designed for devices with limited input capabilities such as smart TVs or conference room equipment. Attackers manipulate this legitimate process by convincing victims to enter a provided device code on Microsoft’s genuine authentication portal.

Since victims authenticate directly with Microsoft, the process can successfully bypass traditional credential theft protections and, in many cases, even multi-factor authentication.

Instead of harvesting passwords, attackers obtain authentication tokens that provide immediate access to Microsoft 365 services.

Beyond Phishing: A Complete Business Email Compromise Ecosystem

Perhaps the most alarming aspect of ARToken is that phishing represents only the first stage of the attack.

Researchers found an affiliate dashboard exposing more than 80 different API endpoints supporting nearly every phase of a cloud account takeover.

Capabilities include:

  • Microsoft 365 token management
  • Primary Refresh Token (PRT) persistence
  • Automated Business Email Compromise operations
  • Outlook mailbox monitoring
  • SharePoint and OneDrive data access
  • Email forwarding rule creation
  • Token sharing among affiliates
  • Bulk token import/export
  • Infrastructure deployment
  • Victim session browsing through a dedicated desktop application

Taken together, the platform functions less like a phishing kit and more like a cloud attack operating system.

Advanced Anti-Analysis Techniques Raise the Bar

Researchers also identified a sophisticated seven-layer anti-analysis framework built into the phishing kit.

Rather than relying solely on server-side detection, ARToken performs extensive client-side validation before delivering its malicious payload.

Among its defensive capabilities are:

  • Detection of headless browsers
  • Selenium, Puppeteer and Playwright identification
  • Browser fingerprint validation
  • Human mouse movement analysis
  • Touch interaction monitoring
  • Timing verification
  • Window dimension analysis
  • Runtime payload decryption

The phishing payload itself is encrypted using XOR encryption and only decrypted after these checks are successfully completed, making automated analysis significantly more difficult.

This layered approach reflects the increasing professionalization of phishing operations and the growing effort attackers invest in evading modern security controls.

A Carefully Crafted Attack Chain

The campaign analyzed by researchers demonstrates that these attacks are highly targeted rather than mass-distributed spam.

Recovered phishing emails impersonated legitimate vendors involved in existing business relationships.

Victims received what appeared to be ordinary invoice follow-up emails requesting payment confirmation.

Several characteristics made the campaign particularly convincing:

  • Authentic vendor branding
  • Real SharePoint URLs as visible hyperlinks
  • Look-alike Microsoft 365 tenant names
  • Reply-To address substitution
  • Minor content mutations to evade detection

Because victims were ultimately redirected to legitimate Microsoft authentication pages, many conventional indicators users rely upon – such as checking website legitimacy – became far less effective.

Persistence Is the Real Objective

One of the platform’s defining capabilities is its support for Primary Refresh Token (PRT) acquisition.

Traditional phishing campaigns often lose access once users reset passwords.

PRTs fundamentally change that equation.

Researchers observed automated workflows allowing operators to:

  • Upgrade captured authentication tokens into persistent sessions
  • Maintain long-term cloud access
  • Continue accessing Microsoft 365 resources after password changes
  • Export and share persistent tokens across criminal operators

This persistence dramatically increases the operational value of each successful compromise.

Business Email Compromise Gets an Upgrade

Business Email Compromise remains one of the most financially damaging cyber threats worldwide.

ARToken significantly expands traditional BEC capabilities by integrating:

  • Full Outlook mailbox access
  • Bulk email campaigns sent directly from compromised accounts
  • Attachment retrieval
  • Automated forwarding rules
  • Evidence suppression through inbox rule manipulation
  • Keyword monitoring across compromised organizations
  • SharePoint document management

Researchers also found functionality enabling operators to collaborate, exchange compromised accounts, and even import tokens obtained through other attack campaigns.

The result is a mature criminal ecosystem rather than isolated phishing operations.

Cloud Infrastructure as an Attack Platform

Another notable finding involves infrastructure automation.

Operators can directly interact with Cloudflare Workers, allowing rapid deployment of phishing templates without requiring extensive infrastructure management.

The platform also supports:

  • Worker deployment
  • API authentication
  • Origin management
  • Device code proxy configuration
  • Template customization
  • Geographic lure personalization

These features significantly reduce operational complexity for affiliates while increasing campaign scalability.

Why This Matters Globally

The discovery reflects a broader evolution in cloud-focused cybercrime.

As organizations continue migrating email, collaboration platforms, and sensitive business workflows into Microsoft 365, attackers are adapting accordingly.

Rather than stealing passwords, modern threat actors increasingly pursue:

  • Authentication tokens
  • Cloud sessions
  • Identity persistence
  • Business communications
  • Collaborative documents

Organizations across finance, healthcare, manufacturing, logistics, education, government, and professional services all rely heavily on Microsoft 365, making virtually every sector a potential target.

Although the campaign analyzed primarily targeted U.S. organizations, the techniques are globally applicable and require little localization to operate elsewhere.

Why Security Teams Should Pay Attention

Identity has become the new security perimeter.

Attacks targeting authentication tokens bypass many traditional endpoint protections because no malware may ever execute on the victim’s device.

Instead, attackers exploit legitimate authentication workflows.

This trend reinforces an industry-wide shift toward identity-centric security strategies where monitoring token abuse becomes just as important as protecting passwords.

Security teams should also recognize that cloud identity attacks increasingly combine phishing, social engineering, legitimate cloud services, automation, and AI-assisted operations into unified attack chains.

10 Recommended Actions for Security Teams

Organizations should strengthen defenses against device code phishing and token-based attacks by adopting the following measures:

  1. Restrict Device Code Authentication
    Disable or tightly control OAuth Device Authorization Grant where business requirements permit.
  2. Implement Conditional Access Policies
    Limit authentication based on device compliance, user risk, geographic location, and application sensitivity.
  3. Monitor OAuth Token Activity
    Continuously inspect abnormal token issuance, refresh events, and long-lived authentication sessions.
  4. Review Enterprise Applications Regularly
    Audit consented applications and OAuth permissions to identify unauthorized access.
  5. Strengthen Identity Monitoring
    Detect impossible travel, anomalous logins, unfamiliar devices, and unusual cloud behavior.
  6. Educate Employees About Device Code Phishing
    Include this emerging technique in regular security awareness programs alongside conventional phishing scenarios.
  7. Deploy Advanced Email Security
    Improve detection of vendor impersonation, reply-to manipulation, and look-alike Microsoft 365 links.
  8. Audit Mailbox Rules Frequently
    Automatically detect unauthorized forwarding, deletion, and hidden inbox rules commonly used in BEC.
  9. Harden Microsoft 365 Logging
    Enable comprehensive audit logging and integrate identity telemetry into the organization’s SIEM platform.
  10. Develop Token Revocation Playbooks
    Incident response plans should include rapid token revocation, session invalidation, OAuth investigation, and cloud identity forensics—not just password resets.

Looking Ahead

ARToken demonstrates that phishing platforms are rapidly evolving into comprehensive cloud attack ecosystems capable of supporting every stage of identity compromise from initial access to long-term persistence and financial fraud.

As attackers continue to professionalize their operations, defenders must shift their focus beyond passwords toward protecting identities, authentication tokens, and cloud trust relationships.

For organizations operating in increasingly cloud-centric environments, understanding these emerging tactics will be essential to defending against the next generation of phishing campaigns.

Ouaissou DEMBELE
Ouaissou DEMBELE
Ouaissou DEMBELE is a seasoned cybersecurity expert with over 12 years of experience, specializing in purple teaming, governance, risk management, and compliance (GRC). He currently serves as Co-founder & Group CEO of Sainttly Group, a UAE-based conglomerate comprising Saintynet Cybersecurity, Cybercory.com, and CISO Paradise. At Saintynet, where he also acts as General Manager, Ouaissou leads the company’s cybersecurity vision—developing long-term strategies, ensuring regulatory compliance, and guiding clients in identifying and mitigating evolving threats. As CEO, his mission is to empower organizations with resilient, future-ready cybersecurity frameworks while driving innovation, trust, and strategic value across Sainttly Group’s divisions. Before founding Saintynet, Ouaissou held various consulting roles across the MEA region, collaborating with global organizations on security architecture, operations, and compliance programs. He is also an experienced speaker and trainer, frequently sharing his insights at industry conferences and professional events. Ouaissou holds and teaches multiple certifications, including CCNP Security, CEH, CISSP, CISM, CCSP, Security+, ITILv4, PMP, and ISO 27001, in addition to a Master’s Diploma in Network Security (2013). Through his deep expertise and leadership, Ouaissou plays a pivotal role at Cybercory.com as Editor-in-Chief, and remains a trusted advisor to organizations seeking to elevate their cybersecurity posture and resilience in an increasingly complex threat landscape.

Subscribe

- Never miss a story with notifications

- Gain full access to our premium content

- Browse free from up to 5 devices at once

Latest stories

spot_imgspot_imgspot_imgspot_img