Cisco Talos has unearthed a menacing new threat actor panel dubbed ARToken, a React-based operator dashboard that streamlines the entire kill chain for compromising Microsoft 365 accounts. Tightly integrated with the notorious EvilTokens phishing-as-a-service ecosystem, ARToken exposes more than 80 Microsoft 365 API endpoints to attackers, automating token theft, persistence, and abuse at a scale not previously documented. The panel weaponizes device code phishing—a technique that bypasses multi-factor authentication—and pairs it with Primary Refresh Token (PRT) persistence to maintain undetected access for months. Businesses relying on Microsoft 365 face an elevated risk of business email compromise (BEC), SharePoint data exfiltration, and lateral cloud movement.

ARToken and the EvilTokens connection

ARToken is not an isolated tool but surfaces as the latest evolution within the EvilTokens phishing-as-a-service (PhaaS) constellation. Cisco Talos researchers identified overlapping infrastructure, API signatures, and behavioral patterns that directly link the panel to earlier EvilTokens campaigns. EvilTokens has previously offered turnkey phishing kits that harvest session tokens from browser extensions and cookie stores. ARToken takes the model a step further by introducing a centralized command panel built on React, allowing even low-skilled operators to manage complex attacks through a polished, real-time web interface.

The panel’s backend orchestrates more than 80 unique Microsoft Graph and Azure AD endpoints, covering authentication, mail access, file operations, and token management. This granular API exposure means operators can query mailbox contents, read SharePoint document libraries, create Entra ID (formerly Azure AD) applications for persistence, and refresh stolen tokens—all from one pane of glass. The infrastructure often uses bulletproof hosting and domain generation algorithms to evade takedowns, with command-and-control servers rotating every few days.

Device code phishing: The silent MFA bypass

At the heart of ARToken’s initial access is device code phishing, a technique that exploits the OAuth 2.0 device authorization grant flow. Legitimately used for input-constrained devices like smart TVs or IoT hardware, the flow requires a user to enter a short alphanumeric code displayed on the device into a verification URL on a separate browser. Attackers initiate this flow programmatically, obtain the device code, and trick victims into submitting it on the genuine Microsoft login page.

The phishing lures are deceptively simple. An email or message warns the recipient about an urgent security action—often masquerading as an IT department alert—and instructs them to navigate to microsoft.com/devicelogin and enter a code. The victim sees a legitimate Microsoft page, completes the sign-in, and consents to the application permissions presented. Unknown to them, the attacker’s application simultaneously receives a validated OAuth token, including an access token and often a refresh token, bypassing any MFA challenges because the login occurred on the user’s trusted device and session.

ARToken automates the generation of these device code requests, pairing them with lures tailored to the target organization. The panel can spawn dozens of active device codes simultaneously, monitor which ones are redeemed, and instantly pull the resulting tokens into its database. Because the traffic flows entirely through legitimate Microsoft infrastructure, traditional phishing filters rarely flag the initial email or the subsequent token exchange.

PRT persistence: Planting the keys to the kingdom

Once ARToken steals an access token, the true value lies in establishing persistence through the Primary Refresh Token. A PRT is a long-lived artifact issued to Windows 10 and 11 devices joined to Azure AD or hybrid-joined. It enables single sign-on across all Microsoft cloud services and can be renewed automatically for up to 90 days. Normally, PRTs are bound to a specific device’s Trusted Platform Module (TPM) to prevent extraction. However, ARToken uses a technique researchers call
PRT cookie replay: the panel provisions a malicious enterprise application that requests the
PRT SSO cookies, effectively cloning the PRT into browser-session cookies that can be transferred to an attacker-controlled machine.

The process works as follows. With an initial stolen access token, the panel calls Microsoft Graph to register a new application in the victim’s tenant with elevated permissions—typically Mail.ReadWrite, Files.ReadWrite, Sites.ReadWrite.All, and Directory.Read.All. It then grants admin consent programmatically if the compromised account holds sufficient roles, or tricks an admin later through consent phishing. Once the malicious application is in place, it requests PRT SSO cookies via the device registration endpoint, obtaining a session token that mirrors the user’s PRT. That cookie is imported into ARToken’s session pool, where it can be refreshed indefinitely using the original PRT’s renewal mechanism.

This persistence is particularly insidious because it survives password changes. Since the PRT is tied to the device join state and session secret, rotating credentials does not invalidate the stolen session. Even revoking all refresh tokens only clears the temporary tokens; the malicious application can re-request new PRT cookies as long as it remains consented in the tenant. ARToken operators have been observed maintaining access for more than six months in some compromised tenants, using the persistent foothold to exfiltrate data or launch business email compromise campaigns in waves.

Microsoft 365 abuse: Beyond email compromise

ARToken’s endpoint coverage reveals a deliberate focus on Microsoft 365 abuse patterns that go far beyond reading a few emails. The panel operators systematically target SharePoint Online document libraries, OneDrive for Business, Teams chats, and Exchange Online mailboxes. By enumerating the full directory structure through the Sites.Read.All scope, attackers can identify sensitive files—contracts, intellectual property, financial records—and exfiltrate them in bulk using the Files.ReadWrite permission.

Business email compromise remains the most immediate monetization vector. ARToken allows operators to search for high-value email threads, scan for invoice keywords, and insert fraudulent banking details with surgical precision. Because the access comes from a legitimate session, the forged emails originate from the victim’s own mailbox, passing SPF, DKIM, and DMARC checks effortlessly. Payment diversion attacks executed through ARToken have siphoned six-figure sums from mid-market firms, with the panel’s logging features enabling the attackers to monitor when targets open the fake invoices.

Beyond email, SharePoint abuse is becoming a hallmark of ARToken campaigns. The panel can download entire document libraries, search for files containing personally identifiable information (PII), or inject malicious macros into shared Excel and Word documents. In one incident described by Cisco Talos, an attacker used ARToken to replace a legitimate contract stored in a SharePoint folder with a trojanized version that installed a remote access tool upon opening. Because the change appeared to come from a trusted internal account, none of the recipients detected the swap until weeks later.

Infrastructure and evasion tactics

ARToken’s infrastructure is architected for resilience. The React frontend communicates with a Node.js backend that orchestrates API calls through a pool of proxy servers and residential IP addresses. This makes it difficult for cloud security tools to block based on IP reputation alone. The panel uses encrypted WebSocket channels for command-and-control, hiding its traffic within normal TLS sessions. All harvested tokens are encrypted at rest and stored in a geo-replicated database, with automatic pruning that deletes expired sessions while retaining valid ones.

Evasion extends to the Microsoft 365 environment itself. The panel deliberately spaces API calls to stay under the throttling limits that would trigger anomaly alerts in Microsoft Defender for Cloud Apps. It uses the Graph API’s delta queries to minimize data transfer, pulling only changes rather than full directory iterations. When enabling the malicious enterprise application, ARToken often disguises the consent with names that mimic legitimate internal tools, such as
SharePoint Migration Agent or
Exchange Online Reporting. Less-sophisticated admins glance at the name and approve the consent without inspecting the requested permissions.

Detection and defense strategies

Organizations defending against ARToken and similar threats need a multi-layered approach that addresses the device code phishing vector, monitors PRT anomalies, and tightens application consent settings.

Conditional Access policies are the first line of defense. Administrators should create blocking rules for the device code authentication flow unless it is explicitly required for known device types. While Microsoft does not provide a native filter for “device code grant” in Conditional Access, a workaround exists by denying all authentication requests that use the “Authentication Context” or “app type” set to legacy flows, which includes device code when applied carefully. Additionally, requiring compliant devices for all cloud app access prevents token replay on unmanaged machines.

Consent management should be locked down. Disable the ability for non-admin users to consent to applications. Enable the admin consent workflow so that all permission requests go through a review process, and regularly audit consented applications for excessive rights. Pay special attention to applications requesting the “PRT SSO” or device registration scopes, as these are rarely seen in legitimate line-of-business apps.

Monitoring for PRT anomalies is critical. Microsoft 365 Defender and Sentinel can be configured to raise alerts when a PRT is used from an unusual geographic location or a browser fingerprint that does not match the user’s typical pattern. Any instance of a new enterprise application being registered outside of IT change windows should be investigated immediately. The Unified Audit Log tracks “Add application” and “Consent to application” events; these should be streamed to a SIEM and correlated with user travel or login anomalies.

User education must evolve beyond generic phishing awareness. Include device code phishing in training modules, emphasizing that legitimate IT will never ask them to visit microsoft.com/devicelogin to enter a code sent via email. Encourage users to report such requests immediately. Organizations using Microsoft Defender for Office 365 should create custom detection rules for emails containing the “/devicelogin” URL combined with a device code pattern.

Finally, incident response playbooks should account for PRPersistence. Since password resets do not revoke PRT cookies, the proper containment steps include: revoking all refresh tokens of the compromised user, removing malicious enterprise applications, invalidating all active PRTs via the Microsoft Graph API, and resetting the user’s session tokens. For the most sensitive accounts, a full device revoke through the “Revoke-AzureADUserAllRefershToken” cmdlet along with re-imaging the user’s machine may be necessary.

The broader landscape

ARToken’s emergence underscores a worrying shift in the phishing underground. The PhaaS market is consolidating around platforms that emulate the usability of legitimate SaaS products. ARToken’s React interface, complete with dashboards, analytics, and multi-tenant management, reflects a professionalization that dramatically lowers the barrier to entry for tenant-level attacks.

Microsoft has made incremental improvements—such as the ability to block legacy authentication and device code flows through Conditional Access—but the granularity remains imperfect. Meanwhile, attackers continue to find creative ways to chain legitimate OAuth flows with token replay. The combination of device code phishing and PRT persistence represents an attack chain that current native detections struggle to recognize because each individual step appears benign.

As Cisco Talos and other research teams continue to track ARToken and EvilTokens, the data suggests that the panel’s operators are actively developing new modules, including integrations with Microsoft Teams for voice phishing (vishing) and the ability to abuse Entra ID application proxy for on-premises pivoting. Security teams should assume that these techniques will become more widespread and incorporate them into threat models immediately.

Conclusion

ARToken is not just another phishing kit; it is a full-fledged operations platform that merges sophisticated initial access, stealthy persistence, and targeted abuse of Microsoft 365 services into an easy-to-use package. The tie to the EvilTokens ecosystem suggests a mature, well-resourced adversary group that will continue to iterate. For defenders, the takeaway is clear: device code flows must be blocked unless explicitly necessary, application consent must be rigorously controlled, and PRT monitoring must become a core part of the security posture. Without these measures, organizations risk a compromise that doesn’t just burst in but moves in and stays for the long haul.