THREAT OPS › Threat News › ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365
ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365
<!--kg-card-begin: html--> <ul> <li>Cisco Talos identified a fully-featured phishing-as-a-service (PhaaS) operator panel, branded "ARToken," that shares infrastructure, API contracts, and operational patterns with the EvilTokens platform documented by Sekoia and Microsoft in early 2026.</li> <li>The ARToken panel exposes 80+ API endpoints for device code phishing, Primary Refresh Tok
MITRE ATT&CK techniques
- Acquire InfrastructureT1583
- SharepointT1213.002
- JavaScriptT1059.007
- Email CollectionT1114
- Malicious FileT1204.002
- System ChecksT1497.001
- Spearphishing LinkT1566.002
- Spearphishing LinkT1598.003
- Use Alternate Authentication MaterialT1550
- Device RegistrationT1098.005
- Virtualization/Sandbox EvasionT1497
- Stage CapabilitiesT1608
- Web ServicesT1583.006
- Steal Application Access TokenT1528
- Additional Cloud CredentialsT1098.001
- Account ManipulationT1098
- Web ServicesT1584.006
- Account Access RemovalT1531
- Obfuscated Files or InformationT1027
- Multi-Factor AuthenticationT1556.006
- Remote Email CollectionT1114.002
- CredentialsT1589.001
- ImpersonationT1684.001
- Application Access TokenT1550.001
- Acquire InfrastructureAML.T0008
- ImpersonationAML.T0073
- Stage CapabilitiesAML.T0079
- Use Alternate Authentication MaterialAML.T0091
- Application Access TokenAML.T0091.000
- Virtualization/Sandbox EvasionAML.T0097
Indicators of compromise
- https://blog.sekoia.io/eviltokens-an-ai-augmented-phishing-as-a-service-for-automating-bec-fraud-part-2/url
- https://mononapfp.sharepoint.com/:f:/document/INV-IgCx1X50pgUjR7iAjZL2fuQaAW4GfKVs6wHT3BYv9sgwW7g”url
- https://mononapfpcom.sharepoint.com/:f:/g/IgAdH_aaBPMcQbtINZzC1TsLARj3dHj63MnKjvnY-QJrKEc"url
- storage.ghost.iodomain
- dashboard-bl.pamconj.comdomain
- spx.pamconj.comdomain