The ARToken phishing panel targets Microsoft 365 accounts
Accounts-payable staff at U.S. companies keep receiving invoice emails that look like they come from vendors they already work with. One landed at a life-sciences company in April 2026, addressed to the person who handles payments and written in the voice of a Wisconsin contractor’s billing contact. It asked about invoices that appeared to still be outstanding, the sort of note an accounts-payable team handles every day. Behind it sits a phishing operation Cisco Talos has tied to EvilTokens, a subscription service that spread across hundreds of Cloudflare Workers domains earlier this year.

The email that starts the chain
Talos recovered two near-identical messages sent minutes apart on April 20, 2026, both spoofing an accounts-payable contact at a real Wisconsin contractor and reaching a payments recipient at a U.S. life-sciences company. Borrowing an existing vendor relationship gives the note a reason to sit in the inbox.
The From line shows the vendor’s genuine domain, and Reply-To quietly points somewhere else, routing any response away from the impersonated company. SPF, DKIM, and DMARC all fail on the message. The link in the body reads as the vendor’s own SharePoint tenant, and its real destination is a look-alike tenant hosted in an attacker-controlled Microsoft 365 workspace. That destination sits on a genuine sharepoint.com host, so it borrows the reputation of Microsoft’s own service. Each message also carries short random text and an inline signature image, small touches consistent with the light per-message mutation that helps such mail slip past exact-match content rules.
EvilTokens and device code phishing
EvilTokens abuses Microsoft’s OAuth 2.0 Device Authorization Grant, the sign-in flow built for devices that lack a keyboard. The service captures a victim’s tokens during that exchange and bypasses multi-factor authentication. Sekoia documented the platform in March 2026, and Microsoft confirmed its scale the following month, pointing to higher success rates than earlier device code attacks and AI-generated lures tuned to each target.
Sekoia had by then catalogued around 500 Cloudflare Workers domains tied to the platform, with affiliates going after finance, HR, and logistics staff worldwide.
The platform sells access on a subscription priced at $1,500 up front with a monthly fee on top, and its second stage runs an AI-assisted business email compromise pipeline that turns each hijacked mailbox into tailored fraud scenarios.
The exposed panel
During an incident response engagement, Talos traced the infrastructure to a management panel titled “ARToken Panel,” served as a React web app. That kind of app ships its whole client to the browser, so the panel’s routes, labels, and internal paths came through on a simple page visit, with the login screen sitting on top of code that had already loaded.
The exposed interface runs past eighty endpoints, covering device-code phishing, token persistence, mailbox access, business email compromise, and SharePoint theft, all reachable through one dashboard.
Linking ARToken to EvilTokens
The tie to EvilTokens rests on overlapping technical fingerprints. Both platforms send the same sign-in request and receive the same token response, both use a shared “broker” mode that pulls a Primary Refresh Token through Microsoft’s Authentication Broker, and both deploy lures to Cloudflare Workers under matching subdomain patterns with the same Adobe, OneDrive, and document-viewer themes. ARToken also carries the Primary Refresh Token lifecycle Sekoia called the platform’s main advance over earlier phishing kits.
“We don’t have any indications of who operates it, but it does appear to be more of an affiliate’s customized build than anything else,” Michael Kelley, a security researcher at Cisco Talos, told Help Net Security.
The phishing kit
A phishing page recovered from one ARToken deployment runs a seven-layer system that hides it from automated scanners and keeps it live for real victims. The early checks screen out headless browsers, automation tools, and crawlers by reading the browser’s own traits. The later checks wait for signs of a person, holding the payload until either a run of mouse movement or a screen touch registers and a short delay after load has passed.
Once the page trusts its visitor, it reads the target’s email from the link, requests a device code from the operator’s server, and steers the victim to Microsoft’s own device-login page. The payload arrives scrambled and unpacks in the browser, which keeps URL scanners from reading it. One setting, with persistence after a password change switched off, shows the operator knows a password reset revokes stolen tokens and plans to escalate before the victim reacts.
What operators get
Inside the dashboard, a captured token opens a menu of follow-on actions. Operators can refresh and escalate it into a Primary Refresh Token that survives password resets, read and send mail as the victim, plant inbox rules that bury evidence, and browse the victim’s SharePoint and OneDrive to steal files or seed new phishing. A companion Windows tool opens the victim’s Microsoft 365 session outside the panel, and the panel itself wires into Cloudflare to spin up fresh phishing pages on demand.
Several features go past earlier EvilTokens reporting, among them cross-mailbox keyword monitoring, token importing and sharing between operators, and geo-aware templates that drop a victim’s city and country into the lure. Together they add up to a working business email compromise environment, a step past a single-purpose phishing kit.
Where it stands
The panel has since gone dark. Kelley described what happened: “In this particular instance, we did not coordinate a takedown, but the panel is no longer accessible; likely moved.”
The device-code flow itself is legitimate, so the strongest signals sit around it: look-alike SharePoint tenants, failed authentication on vendor-styled invoice mail, and any unexpected device-code prompt that appears during ordinary work. Talos published the operation’s domains and addresses, led by pamconj[.]com, for defenders to hunt on.