Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: device-code-phishing (1 article)Clear

ARToken phishing service steals Microsoft 365 tokens and survives password resets

Cisco Talos detailed ARToken, a phishing-as-a-service platform tied to the EvilTokens operation that is built to compromise Microsoft 365. It abuses Microsoft's device-code sign-in flow to capture authentication tokens rather than passwords, bypassing multi-factor authentication, then upgrades to a Primary Refresh Token so access survives even after the victim resets their password. Its panel exposed more than eighty API endpoints for mailbox takeover, SharePoint and OneDrive theft, and automated business email compromise, including hidden inbox rules and multi-mailbox monitoring. The lures are targeted, abusing real vendor invoice relationships and pointing to look-alike SharePoint tenants on legitimate Microsoft infrastructure so the emails are harder to flag.

Check
Hunt for unexpected device-code authentication prompts during normal work, unusual device registrations, and new inbox forwarding or hiding rules, and audit which accounts hold Primary Refresh Tokens or long-lived sessions.
Affected
Microsoft 365 organizations, especially finance and accounts-payable staff hit by vendor-invoice lures; captured tokens bypass MFA and Primary Refresh Token persistence keeps attackers in even after a password reset.
Fix
Restrict or monitor the device-code authentication flow with Conditional Access, revoke sessions and Primary Refresh Tokens on suspicion, enforce phishing-resistant methods like passkeys, and train staff to treat unexpected device-code prompts warily.