Skip to content

EvilTokens’ Microsoft 365 Phishing Toolkit Exposed Through ARToken PhaaS

A new phishing-as-a-service (PhaaS) platform dubbed “ARToken” appears to operate as an affiliate of the EvilTokens phishing platform, giving researchers a glimpse into an extensive toolkit designed to compromise Microsoft 365. The platform, discovered by Cisco Talos researchers while investigating phishing infrastructure used in an incident response engagement, exposes more than 80 API endpoints through its React-based management panel called “ARToken Panel”.

Reverse engineering the client-side JavaScript code revealed previously undocumented capabilities that extend well beyond what you would normally find in a phishing platform. The platform allows attackers to steal Microsoft 365 authentication tokens, establish persistent access using Primary Refresh Tokens (PRTs), and access Outlook mailboxes, SharePoint sites, and OneDrive files. It also includes tools to deploy phishing infrastructure through Cloudflare Workers and automate many aspects of business email compromise (BEC) operations.

According to Talos’ report, multiple technical similarities strongly suggest ARToken is tied to the EvilTokens phishing platform discovered earlier this year. The researchers found the ARToken phishing kit uses the same API calls for Microsoft’s device code authentication flow, including an identical `POST /api/device/start` request previously associated with EvilTokens attacks.

The platform also uses a similar Cloudflare Workers deployment model and operates as a multi-tenant phishing service, in which affiliates manage their own campaigns through dedicated workspaces. EvilTokens focuses heavily on exploiting Microsoft’s OAuth 2.0 Device Authorization Grant authentication workflow to breach accounts, a technique known as device code phishing.

Victims are tricked into entering a legitimate Microsoft-issued device code on Microsoft’s official device login page, causing Microsoft to issue authentication tokens directly to the attacker instead of the victim. Because the victim authenticates through Microsoft’s legitimate infrastructure, the attacks can successfully bypass multi-factor authentication protections.

The ARToken platform also revealed several features not identified in previous EvilTokens research. Threat actors can monitor multiple hijacked mailboxes simultaneously for specific keywords, load tokens stolen from other sources, and share access to compromised accounts. They can also quietly set up inbox rules that hide or delete messages to cover their tracks, and use phishing pages that automatically update their content based on the victim’s location.

Talos analyzed phishing emails associated with the platform, finding that attackers impersonated legitimate vendors in invoice-themed lures targeting accounts payable employees. Rather than linking to an obviously attacker-controlled site, the emails display what appears to be a legitimate SharePoint address while actually directing victims to a look-alike tenant hosted within the attacker’s Microsoft 365 workspace.

The discovery of ARToken and its ties to EvilTokens highlights the ongoing threat posed by phishing-as-a-service platforms. As these platforms continue to evolve and improve, it is essential for organizations to remain vigilant in their defenses against these types of attacks.

Source: Original article

Leave a Reply

Your email address will not be published. Required fields are marked *