| At a glance | Details |
|---|---|
| Actor or group | ARToken operators; assessed as an EvilTokens affiliate panel |
| Activity type | Phishing-as-a-service (PhaaS) with device code phishing and token theft |
| Targets | Microsoft 365 users in finance, HR, and logistics roles |
| Scale | ~500 Cloudflare Workers domains and 1,000+ phishing pages (per Sekoia) |
| Status | Active in the wild; no arrests announced |
| Source | Cisco Talos, with Sekoia and Microsoft |
TL;DR
Cisco Talos uncovered a phishing operator panel called ARToken that shares code and infrastructure with the EvilTokens service. The ARToken phishing platform steals Microsoft 365 tokens through device code phishing, which sidesteps multi-factor authentication. Its dashboard exposes more than 80 endpoints for email theft, fraud, and file exfiltration.
What Happened
Talos found the panel while investigating an incident response case. The React dashboard served its entire code bundle to the public web. As a result, analysts read the full operator toolkit without any login. According to the Talos analysis, the panel exposes over 80 API endpoints.
The attack starts with a targeted lure, not mass spam. Talos recovered two near-identical invoice emails sent four minutes apart. As the researchers put it, the tradecraft is “targeted, not spray-and-pray.” The messages spoofed a real contractor and abused an existing vendor relationship.
How the Lure Works
The email points to a fake SharePoint tenant that mimics the vendor’s name. Because the link still lives on a genuine sharepoint.com host, it inherits a clean reputation. Meanwhile, the sender fails SPF, DKIM, and DMARC checks. A reply-pivot then routes any victim response to an attacker domain.

Who Is Behind It
Talos has not named any individual, and no arrests have been announced. Instead, the team links ARToken to EvilTokens through several technical overlaps. Both share an identical device code API contract, matching Cloudflare Workers naming, and the same Primary Refresh Token persistence chain. Both also run as multi-tenant platforms with Telegram alerts and subscription access.
Sekoia first documented EvilTokens in March 2026. Microsoft then confirmed the campaign’s scale in April 2026. Given the shared indicators, Talos assesses ARToken as an affiliate panel rather than a separate operation. Attribution therefore rests on strong technical evidence, not a named suspect.
Impact and Scale
By capturing tokens, operators skip passwords and MFA entirely. They can then escalate to a Primary Refresh Token that survives a password reset. One panel label reportedly advertises, “PRT-enabled – Persists across password changes.”
The toolkit runs full business email compromise operations. Operators read inboxes, send mail as the victim, and create hidden forwarding rules to bury evidence. They also browse and steal SharePoint and OneDrive files. Talos reports the service allegedly sells for a $1,500 setup fee plus $500 per month. These prices remain vendor claims, not confirmed figures.
Notably, the ARToken phishing platform adds features that earlier EvilTokens reporting did not cover. These include cross-account keyword monitoring, token importing, and geo-aware lure templates. Together, they turn a simple phishing kit into a full fraud console.
What Comes Next
Device code phishing keeps rising because it defeats standard MFA. Defenders should treat this as an identity problem, not just an email one.
How to Stay Protected
Restrict the Microsoft device code flow through Conditional Access where your business allows it. Additionally, alert on new device registrations and unusual token activity. Train finance and HR staff to verify invoice changes through a known channel. Watch for inbox rules that forward or auto-delete mail, since they signal a compromise. Finally, flag look-alike SharePoint tenants that fold a vendor’s name into the label.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.