← All stories
● Covered by 1 source Β· 1 reportHigh impact

ARToken phishing platform exposes Microsoft 365 vulnerabilities

Aggregated by BrevFeed security Β· updated 6h ago
πŸ”– Save

The ARToken PhaaS platform has been linked to the infamous EvilTokens, offering advanced phishing tools targeting Microsoft 365. Its capabilities allow attackers to steal authentication tokens and bypass multi-factor authentication, posing significant risks for enterprise security.

Key points

Introduction to ARToken

Cisco Talos researchers have discovered a new phishing-as-a-service (PhaaS) platform named ARToken, which appears to operate as an affiliate of the EvilTokens phishing platform. This discovery sheds light on an extensive phishing toolkit that can compromise Microsoft 365 environments.

Capabilities and Tools

The ARToken platform features a React-based management panel known as the 'ARToken Panel' that reveals over 80 API endpoints. Attackers using this toolkit can steal Microsoft 365 authentication tokens and establish lasting access using Primary Refresh Tokens (PRTs).

Technical Links to EvilTokens

Multiple technical similarities between ARToken and EvilTokens suggest a direct connection between the two platforms. Researchers noted that ARToken's phishing kit uses API calls for Microsoft's authorization flow that are identical to those associated with previous EvilTokens attacks.

Device Code Phishing Method

ARToken employs a method known as device code phishing, exploiting Microsoft's OAuth 2.0 Device Authorization Grant workflow. This technique allows victims to unknowingly provide their authentication tokens to attackers by entering a legitimate Microsoft device code, effectively bypassing multi-factor authentication defenses.

Impact on Cybersecurity

The emergence of ARToken represents a critical threat to organizations using Microsoft 365, as it offers sophisticated phishing mechanisms that can breach accounts and expose sensitive data. The ability to bypass multi-factor authentication increases the urgency for organizations to strengthen their security protocols.

✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β€” check the original sources. How BrevFeed works β†’

Reporting from

The ARToken PhaaS platform has been linked to the infamous EvilTokens, offering advanced phishing tools targeting Microsoft 365. Its capabilities allow attackers to steal authentication tokens and bypass multi-factor authentication, posing significant risks for enterprise security.