New ARToken Phishing Toolkit Exploits Microsoft 365, Bypasses MFA with Device Code Attacks
July 3, 2026
A new ARToken PhaaS toolset operates as an EvilTokens affiliate panel, offering a full phishing toolkit designed to compromise Microsoft 365 accounts via device code authentication flows.
The toolkit can steal Microsoft 365 authentication tokens, persist via Primary Refresh Tokens, and access Outlook mail, SharePoint sites, and OneDrive files, enabling full account compromise and data theft.
ARToken specializes in exploiting the Microsoft OAuth 2.0 Device Authorization Grant, a device code phishing method that can bypass MFA by targeting the device login flow directly.
Analysts note a related BleepingComputer webinar and resources on defending against business email compromise and account takeovers, highlighting behavioral AI as part of defense.
Cisco Talos researchers uncovered ARToken Panel as a React-based management interface with 80-plus API endpoints, revealing capabilities beyond typical phishing kits.
ARToken supports automated phishing infrastructure deployment using Cloudflare Workers and enables multi-tenant operation where affiliates run their own campaigns in dedicated workspaces.
Previous reporting described EvilTokens as a commercial kit with AI-driven workflow that ingests harvested mailboxes to score exposure and draft BEC campaigns; ARToken expands on these capabilities.
ARToken can monitor hijacked mailboxes for keywords, load tokens from other sources, set deceptive inbox rules, and deliver phishing pages that adapt based on victim location.
Threat actors have demonstrated impersonation of legitimate vendors in invoice-themed phishing emails, directing victims to look-alike tenants hosted in attacker-controlled Microsoft 365 workspaces.
Technical parallels link ARToken to EvilTokens, including identical API calls for device code authentication and shared endpoints for token lifecycle management.
Microsoft has flagged a surge in device code phishing attacks in 2026, with EvilTokens cited for AI-driven fraud automation in targeting Microsoft 365 users.
Summary based on 1 source
Get a daily email with more Tech stories
Source

BleepingComputer • Jul 2, 2026
ARToken PhaaS exposes EvilTokens' Microsoft 365 phishing toolkit