What Happened
Cisco Talos researchers documented ARToken, a React-based phishing-as-a-service panel operating as an affiliate of the EvilTokens platform. The panel exposes more than 80 API endpoints covering device code phishing, mailbox access, business email compromise operations, and SharePoint exfiltration. Its defining capability is persistence: operators escalate a stolen sign-in into a Primary Refresh Token through Microsoft’s Authentication Broker, and this token survives password resets. Lures ride on Cloudflare Workers with Adobe, OneDrive, and document-viewer themes, protected by a seven-layer anti-analysis system with XOR-encrypted payloads. One observed campaign hit a life-sciences company’s accounts-payable contact with a routine-looking invoice query. The panel went dark after Talos published its findings, but the EvilTokens platform behind it remains active.
Why This Matters for Canadian Organizations
Microsoft 365 anchors email, file storage, and collaboration across most Canadian enterprises, universities, and government bodies. ARToken’s design defeats the standard incident response reflex — reset the password, close the ticket. A Primary Refresh Token keeps working after the reset, letting attackers read and send mail as the victim, plant inbox rules to hide their tracks, and mine SharePoint and OneDrive for files to steal or reuse in new phishing. Unauthorized access to personal information held in a tenant triggers breach assessment and notification obligations under PIPEDA.
What to Do
Move high-value users to phishing-resistant MFA such as FIDO2 keys, and restrict the device code flow through Conditional Access policies unless a documented business need exists. When responding to a compromised M365 account, revoke refresh tokens and review registered devices and authentication broker activity rather than stopping at a password reset. Audit tenants for suspicious inbox rules and unfamiliar OAuth grants.
Read the full report at Cisco Talos.






