Listen to this Post

Introduction:
The cybersecurity landscape witnessed a significant escalation in Q2 2026 with the emergence of ARToken, a fully-featured Phishing-as-a-Service (PhaaS) panel that exposes over 80 API endpoints designed for large-scale Microsoft 365 token theft. Discovered by Cisco Talos during an incident response engagement, ARToken represents a sophisticated evolution of the EvilTokens infrastructure, offering affiliates a comprehensive toolkit that extends from initial compromise through to advanced business email compromise (BEC) and data exfiltration.
This article provides a technical deep-dive into the ARToken platform, its operational mechanics, and the critical security implications for enterprise Microsoft 365 environments. We will explore the device code phishing technique that bypasses MFA, the post-compromise toolkit enabling persistent access, and actionable detection and mitigation strategies for defenders.
Learning Objectives:
- Understand the OAuth 2.0 Device Authorization Grant flow abuse and how ARToken bypasses multi-factor authentication (MFA) to capture authentication tokens.
- Analyze the extensive post-compromise capabilities of ARToken, including Primary Refresh Token (PRT) persistence, mailbox takeover, and automated BEC workflows.
- Learn practical detection techniques, including log analysis, PowerShell commands, and Entra ID conditional access policies to identify and block token theft attacks.
You Should Know:
- The Device Code Phishing Technique: Bypassing MFA Without Passwords
ARToken, like its predecessor EvilTokens, abuses Microsoft’s OAuth 2.0 Device Authorization Grant (RFC 8628), a legitimate sign-in flow designed for input-constrained devices. Instead of stealing passwords, the platform tricks victims into entering a device code on Microsoft’s official login page (microsoft.com/devicelogin). This exchange grants the attacker an authentication token, completely bypassing MFA protections.
Step-by-step guide explaining what this does and how to use it (for defensive analysis):
The attack flow unfolds as follows:
- Lure Delivery: The victim receives a highly targeted phishing email, often impersonating a known vendor with an invoice query. The email contains a link disguised as a legitimate SharePoint document.
- Redirection: The link redirects to an attacker-controlled Microsoft 365 workspace, which then presents the victim with a device code.
- Code Entry: The victim is instructed to visit `microsoft.com/devicelogin` and enter the provided code.
- Token Capture: Upon entry, Microsoft issues an OAuth token to the attacker’s session instead of the victim’s device.
Defensive Simulation (Linux/macOS):
To understand the OAuth device code flow, security teams can simulate a legitimate request using curl:
Simulate a device code request (legitimate use for testing) curl -X POST https://login.microsoftonline.com/common/oauth2/v2.0/devicecode \ -d "client_id=YOUR_CLIENT_ID" \ -d "scope=https://graph.microsoft.com/.default"
This returns a device_code, user_code, and verification_uri. In an attack, the `user_code` is shown to the victim.
Detection (Windows PowerShell):
Monitor Entra ID sign-in logs for anomalies:
Connect to Azure AD Connect-AzureAD Get sign-in logs for device code flow (simplified) Get-AzureADAuditSignInLogs -Filter "clientAppUsed eq 'Device Code Flow'"
- Primary Refresh Token (PRT) Persistence: Surviving Password Resets
Beyond initial token theft, ARToken’s true power lies in its ability to convert captured tokens into Primary Refresh Tokens (PRTs). A PRT is a long-lived session key used for single sign-on across Microsoft 365 services. By obtaining a PRT, an attacker can maintain persistent access to a victim’s account, even if the user changes their password.
Step-by-step guide explaining what this does and how to use it:
ARToken exposes several endpoints for PRT management:
/prt/setup: Initializes PRT acquisition./prt/refresh: Refreshes an expiring PRT./prt/renew: Renews the PRT after expiration./prt/cookie: Extracts browser cookies from the PRT session.
Once a PRT is established, attackers can use the companion Windows application, “ARTBrowser,” to interact with the compromised Microsoft 365 session as if they were the legitimate user.
Defensive Recommendations:
- Revoke Sessions: Immediately revoke all user sessions and force a token refresh upon detecting a compromise.
Revoke all sessions for a user (requires AzureAD module) Revoke-AzureADUserAllRefreshToken -ObjectId "[email protected]"
- Monitor PRT Usage: Look for suspicious PRT activity in Entra ID sign-in logs, particularly PRT usage from new or unusual devices.
- The Post-Compromise Toolkit: Mailbox Takeover and BEC Automation
ARToken functions as a complete BEC operations environment. The platform’s 80+ API endpoints provide affiliates with granular control over compromised mailboxes.
Step-by-step guide explaining what this does and how to use it:
Key post-compromise capabilities include:
- Mailbox Access: Reading and sending emails from the victim’s Outlook.
- Inbox Rule Manipulation: Creating rules to forward emails to the attacker or automatically delete security alerts.
- SharePoint/OneDrive Exfiltration: Browsing, downloading, and uploading files.
- Mass BCC Sending: Using the compromised account to send phishing emails to the victim’s contacts.
Defensive Recommendations:
- Audit Mailbox Rules: Regularly check for suspicious inbox rules created without user knowledge.
Connect to Exchange Online Connect-ExchangeOnline List all inbox rules for a user Get-InboxRule -Mailbox "[email protected]" | Format-Table Name, Description, ForwardTo, DeleteMessage
- Monitor for Unusual Sending Patterns: Use Microsoft Defender for Office 365 to detect bulk email sends from atypical accounts.
4. Anti-Analysis and Evasion: A Seven-Layer Defense
ARToken implements a sophisticated client-side anti-analysis framework designed to evade automated security scanners and sandbox environments.
Step-by-step guide explaining what this does and how to use it:
Talos researchers enumerated seven layers of behavioral verification:
1. User-Agent and `navigator.webdriver` Checks: Detects headless browsers.
- Feature Fingerprinting: Analyzes browser features to identify automation tools.
- Window-Dimension Gating: Verifies the browser window size matches a real user.
- Interaction Telemetry: Requires mouse or touch movement to proceed.
- Elapsed Browsing Time: Checks how long the page has been open.
6. Screen Dimensions: Validates screen resolution.
- XOR-Encrypted Payloads: The final phishing payload is XOR-encrypted with a 16-byte key and decrypted at runtime, complicating static detection.
Defensive Recommendations:
- URL Analysis: Use dynamic analysis tools that can simulate user interaction to defeat behavioral checks.
- Email Filtering: Train email gateways to detect and block emails with failed SPF, DKIM, and DMARC checks, as seen in ARToken lures.
- Detection and Mitigation: A Practical Guide for Defenders
Defending against ARToken and similar token theft attacks requires a multi-layered approach.
Step-by-step guide explaining what this does and how to use it:
- Conditional Access Policies: Implement policies to restrict device code flow. Create a Conditional Access policy that blocks device code authentication for all users except those with a legitimate need (e.g., Linux users).
- User Education: Train users to recognize device code phishing. Emphasize that they should never enter a code provided by an email or unfamiliar website on
microsoft.com/devicelogin. - Log Monitoring: Actively monitor Entra ID sign-in logs for:
– `clientAppUsed` equalsDevice Code Flow.
– Sign-ins from unusual locations or IP addresses.
– Multiple failed MFA attempts followed by a successful device code sign-in.
4. Token Revocation: Have a clear incident response plan that includes immediate token revocation and session termination upon suspected compromise.
5. Email Security: Deploy and enforce SPF, DKIM, and DMARC to prevent domain spoofing. Implement advanced email filtering to detect invoice-themed lures and reply-to manipulation.
What Undercode Say:
- Key Takeaway 1: ARToken is not merely a phishing kit; it is a comprehensive, enterprise-grade platform for cloud account takeover, demonstrating the increasing professionalization of the cybercrime economy. The seamless integration of MFA bypass, persistent access, and automated BEC workflows lowers the barrier to entry for even novice attackers.
- Key Takeaway 2: The reliance on legitimate OAuth flows and trusted Microsoft infrastructure makes ARToken exceptionally difficult to detect using traditional security measures. Defenders must shift their focus from preventing initial access (which is nearly impossible) to early detection of post-compromise activity, such as anomalous token usage and mailbox rule creation.
Prediction:
- -1 The commoditization of advanced token theft techniques through PhaaS platforms like ARToken will lead to a significant surge in BEC and data theft incidents throughout 2026 and 2027. Organizations that fail to adopt a Zero Trust architecture and robust identity threat detection will face severe financial and reputational damage.
-
-1 The anti-analysis techniques employed by ARToken (seven-layer verification, XOR encryption) represent a new standard for phishing kits. This will force security vendors to invest heavily in more sophisticated dynamic analysis and behavioral detection capabilities, increasing the cost of defense.
-
+1 The exposure of ARToken’s inner workings through Talos’s research provides defenders with critical intelligence. By understanding the specific API endpoints, evasion techniques, and operational patterns, security teams can develop precise detection rules and proactively hunt for this threat in their environments.
▶️ Related Video (74% Match):
https://www.youtube.com/watch?v=1u_5tw0xAKg
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Mayura Kathiresh – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


