Cisco Talos detailed ARToken, a phishing-as-a-service platform tied to the EvilTokens operation that is built to compromise Microsoft 365. It abuses Microsoft's device-code sign-in flow to capture authentication tokens rather than passwords, bypassing multi-factor authentication, then upgrades to a Primary Refresh Token so access survives even after the victim resets their password. Its panel exposed more than eighty API endpoints for mailbox takeover, SharePoint and OneDrive theft, and automated business email compromise, including hidden inbox rules and multi-mailbox monitoring. The lures are targeted, abusing real vendor invoice relationships and pointing to look-alike SharePoint tenants on legitimate Microsoft infrastructure so the emails are harder to flag.
Huntress is tracking a large automated password-spray campaign against Microsoft 365 that has made more than 81 million login attempts through the Azure CLI in two weeks and broken into 78 accounts across 64 organizations. The attackers replay old username and password pairs from breach data against an authentication flow that sends credentials straight to the token endpoint without triggering interactive multi-factor authentication, so weak or reused passwords give them direct access. Several victims had MFA, but it was scoped only to admins, only to certain apps, or only to untrusted locations, and so did not cover this path. The traffic comes from infrastructure whose address ranges trace back to China.