VYPR
researchPublished Jul 2, 2026· 2 sources

ARToken Phishing-as-a-Service Evolves with Advanced BEC Capabilities

Cisco Talos researchers have identified ARToken, a sophisticated phishing-as-a-service platform that shares infrastructure and operational patterns with the EvilTokens platform, offering advanced capabilities for business email compromise operations.

Cisco Talos is actively researching ARToken, a newly identified phishing-as-a-service (PhaaS) operator panel that exhibits significant overlap with the previously documented EvilTokens platform. This connection, observed through shared infrastructure, API contracts, and operational patterns, suggests a potential evolution, rebranding, or consolidation of existing phishing operations.

The ARToken panel is a feature-rich environment designed to facilitate a wide range of malicious activities, including device code phishing, Primary Refresh Token (PRT) persistence, email access, and business email compromise (BEC) operations. Its capabilities extend to SharePoint exfiltration, indicating a comprehensive toolkit for attackers aiming to compromise organizational data and accounts.

This platform exposes over 80 API endpoints, all accessible through a modern React-based dashboard. This user-friendly interface allows operators to manage and execute various phishing and account takeover campaigns with relative ease. The breadth of its functionalities points to a mature and well-developed service, moving beyond simple phishing kits to a full-fledged BEC operations environment.

The implications of ARToken are significant for defenders. The platform's advanced features, such as PRT persistence, enable attackers to maintain access to compromised accounts even after initial credentials have been changed. This makes detection and remediation more challenging, as the threat actor can remain embedded within the network for extended periods.

Furthermore, the integration of BEC capabilities within ARToken highlights the increasing sophistication of financially motivated cybercrime. Attackers are leveraging these platforms to conduct highly targeted and effective campaigns that can result in substantial financial losses for organizations.

Defenders are urged to be aware of the capabilities offered by ARToken and to proactively hunt for related malicious activity. Cisco Talos has provided Indicators of Compromise (IOCs) that can be used to block known malicious infrastructure and to pivot for internal threat hunting exercises. Understanding these tools and tactics is crucial for staying ahead of evolving threats.

The evolution of PhaaS platforms like ARToken underscores the dynamic nature of the cyber threat landscape. As attackers continuously develop and refine their tools, security professionals must remain vigilant and adapt their defenses accordingly. The convergence of phishing, account takeover, and BEC capabilities in a single platform presents a formidable challenge.

Organizations should ensure their security controls are robust, including multi-factor authentication (MFA), email filtering, and endpoint detection and response (EDR) solutions. Regular security awareness training for employees remains a critical layer of defense against phishing and BEC attacks.

This new report details how the ARToken phishing panel specifically leverages Microsoft 365's OAuth device code flow to steal session tokens without requiring passwords or MFA, offering a dashboard with over eighty functions including token refreshing and file access from SharePoint and OneDrive. The article further elaborates on the seven-layer screening process employed by the phishing kit to evade security scanners and the use of a primary refresh token for persistence, even after a password reset.

Synthesized by Vypr AI