Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory

ARToken

Also known asARToken

ARToken is a phishing-as-a-service (PhaaS) platform closely linked to the EvilTokens ecosystem and focused on Microsoft 365 account compromise. Cisco Talos reported that ARToken shares infrastructure, API contracts, and operational patterns with EvilTokens, including abuse of Microsoft's OAuth 2.0 Device Authorization Grant for device code phishing and workflows for Primary Refresh Token (PRT) persistence. Talos assessed ARToken as a mature multi-tenant business email compromise (BEC) operations environment rather than a simple phishing kit. Based on the content, ARToken provides affiliates and operators with a comprehensive post-compromise toolkit including device code phishing, token management, PRT setup/refresh/renew/reacquire, email access through a web dashboard, BEC operations, SharePoint and OneDrive access, and data exfiltration. The exposed React-based panel reportedly contained more than 80 API endpoints and supported capabilities such as token export/import, token backup, token sharing via permissioned links, inbox rule manipulation, cross-account keyword monitoring, attachment access, and full SharePoint operations. The platform also includes ARTSender, a built-in BEC tool for Outlook inbox access, victim-sent email with batching and delays, inbox rule creation, and keyword monitoring, as well as a standalone Windows application called ARTBrowser for browsing victim Microsoft 365 sessions using captured tokens. The content states that ARToken deploys phishing lures through Cloudflare Workers and uses Microsoft-themed lure infrastructure, including SharePoint look-alike pages hosted on legitimate sharepoint.com domains. Reported targeting included invoice-themed phishing against accounts-payable personnel, with broader EvilTokens-linked targeting noted against finance, HR, and logistics personnel globally. ARToken also includes lure template editors, Telegram notifications, subscription-based access, and Cloudflare API integration for Workers deployment and device code proxy configuration. ARToken uses multi-layer anti-analysis and encrypted payload delivery to evade detection. Talos documented a seven-layer client-side anti-analysis system including User-Agent filtering, navigator.webdriver checks, browser feature fingerprinting, window dimension analysis, interaction telemetry, timing gates, and mouse movement pattern analysis. The phishing payload was described as using runtime decryption with a 16-byte XOR key. Known alias in the provided content: artoken. ARToken is described as closely linked to the EvilTokens ecosystem, but the content does not state that it is itself a nation-state actor.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

MITRE ATT&CK

Tradecraft

12 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

10 of 15 tactics22 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0042
Resource Development
1 technique
T1583
Acquire Infrastructure
T1583.006
Web Services
TA0001
Initial Access
1 technique
T1566
Phishing
T1566.002×2
Spearphishing Link
TA0003
Persistence
1 technique
T1098
Account Manipulation
T1098.001
Additional Cloud Credentials
T1098.002
Additional Email Delegate Permissions
TA0004
Privilege Escalation
1 technique
T1098
Account Manipulation
T1098.001
Additional Cloud Credentials
T1098.002
Additional Email Delegate Permissions
TA0005
Stealth
3 techniques
T1027
Obfuscated Files or Information
T1036
Masquerading
T1497
Virtualization/Sandbox Evasion
T1497.001
System Checks
TA0006
Credential Access
1 technique
T1528
Steal Application Access Token
TA0007
Discovery
1 technique
T1497
Virtualization/Sandbox Evasion
T1497.001
System Checks
TA0008
Lateral Movement
1 technique
T1550
Use Alternate Authentication Material
T1550.001
Application Access Token
TA0009
Collection
1 technique
T1114
Email Collection
T1114.002
Remote Email Collection
TA0040
Impact
1 technique
T1531
Account Access Removal
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping12

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.