THREATOPS
THREAT OPSThreat News › ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365

ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365

medtalosPublished 2026-07-01

<!--kg-card-begin: html--> <ul> <li>Cisco Talos identified a fully-featured phishing-as-a-service (PhaaS) operator panel, branded &quot;ARToken,&quot; that shares infrastructure, API contracts, and operational patterns with the EvilTokens platform documented by Sekoia and Microsoft in early 2026.</li> <li>The ARToken panel exposes 80+ API endpoints for device code phishing, Primary Refresh Tok

MITRE ATT&CK techniques

Indicators of compromise

Original source: https://blog.talosintelligence.com/artoken-inside-an-eviltokens-affiliate-panel-targeting-microsoft-365/