securityonline.info 7/7/2026, 10:40:48 AM · external

ARToken phishing kit targets M365 users via device code

ARToken phishing kit targets M365 users via device code
CyberSIXT Evidence Panel
Threat Actor
EvilTokens

THE ARToken phishing platform, linked to EvilTokens, is targeting Microsoft 365 users, particularly in finance, HR, and logistics, using phishing-as-a-service (PhaaS). Cisco Talos revealed this platform, which employs device code phishing to bypass multi-factor authentication (MFA). The platform includes a dashboard with over 80 endpoints for email theft and fraud, exploiting realistic lures pretending to be from legitimate vendors. The actors have yet to be arrested, but the campaign has been deemed active.

By capturing tokens, attackers can enable advanced tactics such as business email compromise, and the platform reportedly charges around $1,500 to set up with ongoing costs. To combat such threats, companies should implement strict access controls and train staff to identify suspicious communications.

View Primary Source Via securityonline.info

Article by CyberSIXT