ctipilot.ch

ARToken — EvilTokens-lineage BEC-as-a-service panel targeting Microsoft 365

tool · item:talos-artoken-eviltokens-bec-panel

Coverage timeline
1
first 2026-07-02 → last 2026-07-02
Briefs
1
1 distinct
Sources cited
2
2 hosts
Sections touched
1
research
Co-occurring entities
8
see Related entities below

Story timeline

  1. 2026-07-02CTI Daily Brief — 2026-07-02
    researchFirst coverage: Talos documents ARToken PhaaS panel — device-code phishing, PRT persistence, mailbox/SharePoint exfil

Where this entity is cited

  • research1

Source distribution

  • blog.talosintelligence.com1 (50%)
  • cyberscoop.com1 (50%)

Related entities

Items in briefs about ARToken — EvilTokens-lineage BEC-as-a-service panel targeting Microsoft 365 (1)

Cisco Talos: "ARToken" exposes a full BEC-as-a-service toolkit on top of Microsoft 365 device-code phishing

From CTI Daily Brief — 2026-07-02 · published 2026-07-02 · view item permalink →

Cisco Talos identified a fully-featured phishing-as-a-service operator panel, "ARToken," that shares API contracts and infrastructure patterns with EvilTokens, the device-code phishing platform Sekoia and Microsoft documented in early 2026 (Cisco Talos, 2026-07-01). Its dashboard exposes 80+ API endpoints spanning device-code phishing, Primary Refresh Token (PRT) persistence, mailbox access, BEC operations and SharePoint/OneDrive exfiltration — a complete post-compromise environment, not just a credential kit. The OAuth 2.0 Device Authorization Grant (RFC 8628) flow drives PRT acquisition via a /prt/setup → /prt/refresh → /prt/renew → /prt/reacquire → /prt/cookie chain that survives password resets, and the panel adds cross-mailbox keyword monitoring, programmatic inbox-rule creation for evidence suppression, and operator-to-operator shared access — capabilities CyberScoop notes go beyond what has been publicly documented for EvilTokens (CyberScoop, 2026-07-01). Talos maps the activity to T1566.002, T1528, T1098.001, T1114.002 and T1550.001. Detection/hardening: hunt Entra ID sign-in logs for device-code grants with anomalous clientMode "broker" semantics and WAM broker-issued PRT refresh/renew outside expected device-registration windows; alert on new Entra device registrations shortly after a device-code auth from an unfamiliar IP/UA; flag programmatically-created inbox rules combining forwarding with auto-delete. Restrict the OAuth device-code flow via Conditional Access and enforce token-protection (sign-in frequency + PRT binding), especially for finance/AP-adjacent roles.