ARToken
ARToken is a phishing-as-a-service (PhaaS) platform closely linked to the EvilTokens ecosystem and focused on Microsoft 365 account compromise. Cisco Talos reported that ARToken shares infrastructure, API contracts, and operational patterns with EvilTokens, including abuse of Microsoft's OAuth 2.0 Device Authorization Grant for device code phishing and workflows for Primary Refresh Token (PRT) persistence. Talos assessed ARToken as a mature multi-tenant business email compromise (BEC) operations environment rather than a simple phishing kit. Based on the content, ARToken provides affiliates and operators with a comprehensive post-compromise toolkit including device code phishing, token management, PRT setup/refresh/renew/reacquire, email access through a web dashboard, BEC operations, SharePoint and OneDrive access, and data exfiltration. The exposed React-based panel reportedly contained more than 80 API endpoints and supported capabilities such as token export/import, token backup, token sharing via permissioned links, inbox rule manipulation, cross-account keyword monitoring, attachment access, and full SharePoint operations. The platform also includes ARTSender, a built-in BEC tool for Outlook inbox access, victim-sent email with batching and delays, inbox rule creation, and keyword monitoring, as well as a standalone Windows application called ARTBrowser for browsing victim Microsoft 365 sessions using captured tokens. The content states that ARToken deploys phishing lures through Cloudflare Workers and uses Microsoft-themed lure infrastructure, including SharePoint look-alike pages hosted on legitimate sharepoint.com domains. Reported targeting included invoice-themed phishing against accounts-payable personnel, with broader EvilTokens-linked targeting noted against finance, HR, and logistics personnel globally. ARToken also includes lure template editors, Telegram notifications, subscription-based access, and Cloudflare API integration for Workers deployment and device code proxy configuration. ARToken uses multi-layer anti-analysis and encrypted payload delivery to evade detection. Talos documented a seven-layer client-side anti-analysis system including User-Agent filtering, navigator.webdriver checks, browser feature fingerprinting, window dimension analysis, interaction telemetry, timing gates, and mouse movement pattern analysis. The phishing payload was described as using runtime decryption with a 16-byte XOR key. Known alias in the provided content: artoken. ARToken is described as closely linked to the EvilTokens ecosystem, but the content does not state that it is itself a nation-state actor.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
12 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Operates as a phishing-as-a-service platform used for Microsoft 365 account compromise, supporting device code phishing, Primary Refresh Token persistence, business email compromise, SharePoint data exfiltration, and web-based email access, while using anti-analysis and encrypted payload techniques.
Operates a phishing-as-a-service platform centered on Microsoft device code phishing, token theft, PRT-based persistence, BEC enablement, and SharePoint/OneDrive access through a multi-tenant operator panel.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.