VYPR
advisoryPublished Jul 1, 2026· 3 sources

ARToken Phishing Panel Targets Microsoft 365 Accounts with Sophisticated Invoice Scams

A new phishing operation dubbed ARToken is leveraging sophisticated invoice-themed lures and Microsoft's OAuth 2.0 device authorization flow to steal Microsoft 365 credentials and bypass multi-factor authentication.

Accounts-payable departments within U.S. companies are increasingly falling victim to a targeted phishing campaign that uses seemingly legitimate invoice emails, impersonating familiar vendors to trick recipients into engaging with malicious links. These emails, designed to blend into daily business communications, aim to compromise sensitive financial information and potentially gain deeper access to corporate systems.

The attack chain begins with emails that spoof a vendor's genuine domain in the 'From' line, while the 'Reply-To' address secretly redirects responses away from the impersonated company. These messages often fail SPF, DKIM, and DMARC checks but use convincing lures, such as referencing outstanding invoices. The links within these emails direct victims to look-alike Microsoft 365 tenants hosted on attacker-controlled workspaces, masquerading as legitimate SharePoint sites to borrow the reputation of Microsoft's own services. Subtle touches like short random text and inline signature images help these messages evade exact-match content filters.

The core of the ARToken operation relies on abusing Microsoft's OAuth 2.0 Device Authorization Grant, a legitimate sign-in flow designed for devices lacking keyboards. This mechanism allows attackers to capture a victim's authentication tokens, effectively bypassing multi-factor authentication. Security researchers have noted that this method, previously documented as EvilTokens, achieves higher success rates than earlier device code attacks and is enhanced by AI-generated lures tailored to specific targets.

Researchers from Cisco Talos traced the infrastructure behind this campaign to a management panel explicitly titled "ARToken Panel." This panel, built as a React web application, exposed its internal routes and functionalities simply by visiting the login page. The interface provides operators with a comprehensive dashboard featuring over eighty endpoints, covering various malicious activities including device-code phishing, token persistence, mailbox access, business email compromise, and SharePoint data theft.

The connection between ARToken and the previously identified EvilTokens platform is established through overlapping technical indicators. Both platforms exhibit identical sign-in request and token response patterns, utilize a shared "broker" mode for extracting Primary Refresh Tokens via Microsoft's Authentication Broker, and deploy lures on Cloudflare Workers with similar subdomain patterns and themes like Adobe, OneDrive, and document viewers. ARToken's implementation of the Primary Refresh Token lifecycle is considered a significant advancement over earlier phishing kits.

The phishing pages themselves employ a seven-layer obfuscation system designed to evade automated scanners and detection tools. These pages employ early checks to screen out headless browsers and crawlers based on browser traits, followed by later checks that wait for human interaction, such as mouse movements or screen touches, after a short delay. Once validated, the page extracts the target's email from the link, obtains a device code from the operator's server, and redirects the victim to Microsoft's legitimate device-login page.

Upon successful token capture, the ARToken dashboard offers operators a range of post-exploitation actions. These include refreshing and escalating tokens into Primary Refresh Tokens that survive password resets, reading and sending emails as the victim, deploying inbox rules to conceal malicious activity, and browsing the victim's SharePoint and OneDrive for data exfiltration or to seed further phishing campaigns. The panel also integrates with Cloudflare to provision new phishing pages on demand and includes advanced features like cross-mailbox keyword monitoring and geo-aware templates.

While the ARToken panel has recently gone dark and is no longer accessible, likely due to its operators moving infrastructure, the underlying techniques remain a significant threat. The abuse of legitimate Microsoft 365 workflows and the OAuth 2.0 device authorization grant, combined with sophisticated social engineering and evasion tactics, highlights the evolving landscape of credential theft and business email compromise operations.

This new analysis from Cisco Talos provides a deeper technical dive into the ARToken platform, detailing its extensive API endpoints and a sophisticated seven-layer anti-analysis system that surpasses previous evasion techniques associated with EvilTokens. The report also showcases a concrete example of an ARToken phishing lure in the wild, demonstrating how it abuses vendor impersonation and SharePoint links to target finance professionals with invoice fraud.

This new report from Cisco Talos details ARToken, a sophisticated Business Email Compromise-as-a-Service platform that shares infrastructure with the EvilTokens operation. ARToken distinguishes itself with advanced features such as inbox rule manipulation and shared access links, indicating a more mature BEC operations environment than previously observed. The platform also employs a robust seven-layer anti-analysis system to evade detection, and its phishing lures are highly targeted, mimicking legitimate invoice inquiries to exploit accounts-payable processes.

Synthesized by Vypr AI