Discovery and Technical Analysis
Cisco Talos researchers have uncovered a new phishing-as-a-service (PhaaS) platform called ARToken, which appears to operate as an affiliate of the EvilTokens phishing platform. While investigating phishing infrastructure during an incident response engagement, the researchers identified a React based management panel named “ARToken Panel” that exposed more than 80 API endpoints. Reverse engineering the client side JavaScript code revealed capabilities that extend well beyond typical phishing platforms. The platform enables attackers to steal Microsoft 365 authentication tokens, establish persistent access through Primary Refresh Tokens (PRTs), and access Outlook mailboxes, SharePoint sites, and OneDrive files. It also includes tools for deploying phishing infrastructure via Cloudflare Workers and automating business email compromise (BEC) operations.
Link to EvilTokens and Attack Methods
Multiple technical similarities suggest a strong connection between ARToken and the EvilTokens platform documented earlier this year. The ARToken phishing kit uses the same API calls for Microsoft’s device code authentication flow, including an identical POST request previously associated with EvilTokens attacks. The platform also uses a similar Cloudflare Workers deployment model and operates as a multi tenant service where affiliates manage campaigns through dedicated workspaces. EvilTokens focuses on exploiting Microsoft’s OAuth 2.0 Device Authorization Grant authentication workflow, a technique known as device code phishing. Victims are tricked into entering a legitimate Microsoft issued device code on the official device login page, causing Microsoft to issue authentication tokens directly to the attacker and bypassing multi factor authentication (MFA) protections.
Capabilities and Growing Threat
ARToken provides operators with extensive post compromise tools. Once a victim completes device code authentication, attackers can refresh stolen tokens, elevate access to persistent PRTs, access Outlook mailboxes, send emails as compromised users, create inbox rules to hide or forward messages, monitor multiple mailboxes for keywords simultaneously, and download email attachments. Attackers can also manage files stored in SharePoint sites and OneDrive accounts, enabling data theft and malware delivery. Additional features not seen in previous EvilTokens research include loading tokens stolen from other sources, sharing access to compromised accounts, and using phishing pages that automatically update content based on the victim’s location. Device code phishing attacks have surged 37 fold over the past year, with at least 11 phishing kits now offering this technique to cybercriminals.
Source: BleepingComputer
