New ARToken Phishing Toolkit Exploits Microsoft 365, Bypasses MFA with Device Code Attacks

July 3, 2026
New ARToken Phishing Toolkit Exploits Microsoft 365, Bypasses MFA with Device Code Attacks
  • A new ARToken PhaaS toolset operates as an EvilTokens affiliate panel, offering a full phishing toolkit designed to compromise Microsoft 365 accounts via device code authentication flows.

  • The toolkit can steal Microsoft 365 authentication tokens, persist via Primary Refresh Tokens, and access Outlook mail, SharePoint sites, and OneDrive files, enabling full account compromise and data theft.

  • ARToken specializes in exploiting the Microsoft OAuth 2.0 Device Authorization Grant, a device code phishing method that can bypass MFA by targeting the device login flow directly.

  • Analysts note a related BleepingComputer webinar and resources on defending against business email compromise and account takeovers, highlighting behavioral AI as part of defense.

  • Cisco Talos researchers uncovered ARToken Panel as a React-based management interface with 80-plus API endpoints, revealing capabilities beyond typical phishing kits.

  • ARToken supports automated phishing infrastructure deployment using Cloudflare Workers and enables multi-tenant operation where affiliates run their own campaigns in dedicated workspaces.

  • Previous reporting described EvilTokens as a commercial kit with AI-driven workflow that ingests harvested mailboxes to score exposure and draft BEC campaigns; ARToken expands on these capabilities.

  • ARToken can monitor hijacked mailboxes for keywords, load tokens from other sources, set deceptive inbox rules, and deliver phishing pages that adapt based on victim location.

  • Threat actors have demonstrated impersonation of legitimate vendors in invoice-themed phishing emails, directing victims to look-alike tenants hosted in attacker-controlled Microsoft 365 workspaces.

  • Technical parallels link ARToken to EvilTokens, including identical API calls for device code authentication and shared endpoints for token lifecycle management.

  • Microsoft has flagged a surge in device code phishing attacks in 2026, with EvilTokens cited for AI-driven fraud automation in targeting Microsoft 365 users.

Summary based on 1 source


Get a daily email with more Tech stories

Source

More Stories