Security researchers have uncovered ARToken, an advanced phishing-as-a-service (PhaaS) platform specifically designed to compromise Microsoft 365 environments through device code phishing while providing affiliates with an extensive post-compromise toolkit capable of conducting Business Email Compromise (BEC), persistent account hijacking, SharePoint data theft, and cloud infrastructure abuse.
Unlike traditional phishing kits, ARToken operates more like a commercial Software-as-a-Service platform complete with management dashboards, automation, collaboration features, infrastructure deployment, and lifecycle management for compromised accounts.
The discovery offers organizations a rare look inside the operational infrastructure that modern phishing groups are using today, illustrating just how mature cybercrime-as-a-service has become.
A Platform Built for Persistent Microsoft 365 Compromise
According to research published by Cisco Talos, ARToken shares significant technical similarities with the EvilTokens platform previously documented by security researchers earlier this year.
Rather than relying solely on stolen passwords, the platform abuses Microsoft’s legitimate OAuth 2.0 Device Authorization Grant, commonly referred to as device code authentication.
This authentication mechanism is designed for devices with limited input capabilities such as smart TVs or conference room equipment. Attackers manipulate this legitimate process by convincing victims to enter a provided device code on Microsoft’s genuine authentication portal.
Since victims authenticate directly with Microsoft, the process can successfully bypass traditional credential theft protections and, in many cases, even multi-factor authentication.
Instead of harvesting passwords, attackers obtain authentication tokens that provide immediate access to Microsoft 365 services.
Beyond Phishing: A Complete Business Email Compromise Ecosystem
Perhaps the most alarming aspect of ARToken is that phishing represents only the first stage of the attack.
Researchers found an affiliate dashboard exposing more than 80 different API endpoints supporting nearly every phase of a cloud account takeover.
Capabilities include:
- Microsoft 365 token management
- Primary Refresh Token (PRT) persistence
- Automated Business Email Compromise operations
- Outlook mailbox monitoring
- SharePoint and OneDrive data access
- Email forwarding rule creation
- Token sharing among affiliates
- Bulk token import/export
- Infrastructure deployment
- Victim session browsing through a dedicated desktop application
Taken together, the platform functions less like a phishing kit and more like a cloud attack operating system.
Advanced Anti-Analysis Techniques Raise the Bar
Researchers also identified a sophisticated seven-layer anti-analysis framework built into the phishing kit.
Rather than relying solely on server-side detection, ARToken performs extensive client-side validation before delivering its malicious payload.
Among its defensive capabilities are:
- Detection of headless browsers
- Selenium, Puppeteer and Playwright identification
- Browser fingerprint validation
- Human mouse movement analysis
- Touch interaction monitoring
- Timing verification
- Window dimension analysis
- Runtime payload decryption
The phishing payload itself is encrypted using XOR encryption and only decrypted after these checks are successfully completed, making automated analysis significantly more difficult.
This layered approach reflects the increasing professionalization of phishing operations and the growing effort attackers invest in evading modern security controls.
A Carefully Crafted Attack Chain
The campaign analyzed by researchers demonstrates that these attacks are highly targeted rather than mass-distributed spam.
Recovered phishing emails impersonated legitimate vendors involved in existing business relationships.
Victims received what appeared to be ordinary invoice follow-up emails requesting payment confirmation.
Several characteristics made the campaign particularly convincing:
- Authentic vendor branding
- Real SharePoint URLs as visible hyperlinks
- Look-alike Microsoft 365 tenant names
- Reply-To address substitution
- Minor content mutations to evade detection
Because victims were ultimately redirected to legitimate Microsoft authentication pages, many conventional indicators users rely upon – such as checking website legitimacy – became far less effective.
Persistence Is the Real Objective
One of the platform’s defining capabilities is its support for Primary Refresh Token (PRT) acquisition.
Traditional phishing campaigns often lose access once users reset passwords.
PRTs fundamentally change that equation.
Researchers observed automated workflows allowing operators to:
- Upgrade captured authentication tokens into persistent sessions
- Maintain long-term cloud access
- Continue accessing Microsoft 365 resources after password changes
- Export and share persistent tokens across criminal operators
This persistence dramatically increases the operational value of each successful compromise.
Business Email Compromise Gets an Upgrade
Business Email Compromise remains one of the most financially damaging cyber threats worldwide.
ARToken significantly expands traditional BEC capabilities by integrating:
- Full Outlook mailbox access
- Bulk email campaigns sent directly from compromised accounts
- Attachment retrieval
- Automated forwarding rules
- Evidence suppression through inbox rule manipulation
- Keyword monitoring across compromised organizations
- SharePoint document management
Researchers also found functionality enabling operators to collaborate, exchange compromised accounts, and even import tokens obtained through other attack campaigns.
The result is a mature criminal ecosystem rather than isolated phishing operations.
Cloud Infrastructure as an Attack Platform
Another notable finding involves infrastructure automation.
Operators can directly interact with Cloudflare Workers, allowing rapid deployment of phishing templates without requiring extensive infrastructure management.
The platform also supports:
- Worker deployment
- API authentication
- Origin management
- Device code proxy configuration
- Template customization
- Geographic lure personalization
These features significantly reduce operational complexity for affiliates while increasing campaign scalability.
Why This Matters Globally
The discovery reflects a broader evolution in cloud-focused cybercrime.
As organizations continue migrating email, collaboration platforms, and sensitive business workflows into Microsoft 365, attackers are adapting accordingly.
Rather than stealing passwords, modern threat actors increasingly pursue:
- Authentication tokens
- Cloud sessions
- Identity persistence
- Business communications
- Collaborative documents
Organizations across finance, healthcare, manufacturing, logistics, education, government, and professional services all rely heavily on Microsoft 365, making virtually every sector a potential target.
Although the campaign analyzed primarily targeted U.S. organizations, the techniques are globally applicable and require little localization to operate elsewhere.
Why Security Teams Should Pay Attention
Identity has become the new security perimeter.
Attacks targeting authentication tokens bypass many traditional endpoint protections because no malware may ever execute on the victim’s device.
Instead, attackers exploit legitimate authentication workflows.
This trend reinforces an industry-wide shift toward identity-centric security strategies where monitoring token abuse becomes just as important as protecting passwords.
Security teams should also recognize that cloud identity attacks increasingly combine phishing, social engineering, legitimate cloud services, automation, and AI-assisted operations into unified attack chains.
10 Recommended Actions for Security Teams
Organizations should strengthen defenses against device code phishing and token-based attacks by adopting the following measures:
- Restrict Device Code Authentication
Disable or tightly control OAuth Device Authorization Grant where business requirements permit. - Implement Conditional Access Policies
Limit authentication based on device compliance, user risk, geographic location, and application sensitivity. - Monitor OAuth Token Activity
Continuously inspect abnormal token issuance, refresh events, and long-lived authentication sessions. - Review Enterprise Applications Regularly
Audit consented applications and OAuth permissions to identify unauthorized access. - Strengthen Identity Monitoring
Detect impossible travel, anomalous logins, unfamiliar devices, and unusual cloud behavior. - Educate Employees About Device Code Phishing
Include this emerging technique in regular security awareness programs alongside conventional phishing scenarios. - Deploy Advanced Email Security
Improve detection of vendor impersonation, reply-to manipulation, and look-alike Microsoft 365 links. - Audit Mailbox Rules Frequently
Automatically detect unauthorized forwarding, deletion, and hidden inbox rules commonly used in BEC. - Harden Microsoft 365 Logging
Enable comprehensive audit logging and integrate identity telemetry into the organization’s SIEM platform. - Develop Token Revocation Playbooks
Incident response plans should include rapid token revocation, session invalidation, OAuth investigation, and cloud identity forensics—not just password resets.
Looking Ahead
ARToken demonstrates that phishing platforms are rapidly evolving into comprehensive cloud attack ecosystems capable of supporting every stage of identity compromise from initial access to long-term persistence and financial fraud.
As attackers continue to professionalize their operations, defenders must shift their focus beyond passwords toward protecting identities, authentication tokens, and cloud trust relationships.
For organizations operating in increasingly cloud-centric environments, understanding these emerging tactics will be essential to defending against the next generation of phishing campaigns.




