New Phishing Kit 'ARToken' Exposes Full Microsoft 365 Takeover Playbook
Cisco Talos researchers found more than 80 hidden commands inside a phishing service tied to the EvilTokens platform — including tools to steal Microsoft 365 logins, read mailboxes, and quietly hide their tracks.

Key points
- Cisco Talos researchers uncovered a phishing service called ARToken with more than 80 hidden commands built to attack Microsoft 365 accounts.
- ARToken appears to be an affiliate of EvilTokens, a commercial phishing platform sold for a $1,500 setup fee and $500 a month, first documented by Sekoia in March 2025.
- The kit lets criminals bypass multi-factor authentication by abusing Microsoft's own device-code login page.
- Push Security reported in April 2025 that device-code phishing attacks jumped 37-fold over the previous year, with at least 11 kits now offering the technique.
- Attackers use the platform to read Outlook mail, steal SharePoint and OneDrive files, and silently create inbox rules that hide their activity.
Cisco Talos has pulled apart a phishing service that gives ordinary criminals a full takeover kit for Microsoft 365, the email and file system used by most large employers.
The service is called ARToken. Talos found it while investigating a real intrusion. Its control panel — the web page criminals log into to run their attacks — quietly exposed more than 80 commands that reveal exactly how the tool works.
ARToken looks like an affiliate of a bigger platform called EvilTokens, which security firm Sekoia first described in March 2025. EvilTokens is sold to criminals as a subscription: $1,500 to set up, then $500 a month.
How does the attack actually work?
It tricks you into logging in on Microsoft's real website — and then hands your session to the criminal.
The technique is called device-code phishing. Microsoft offers a feature where a device without a keyboard (say, a smart TV app) shows a short code, and you type that code into a Microsoft page to sign it in. The attacker starts that process on their own machine, then emails you the code and asks you to enter it, usually pretending an invoice or shared document is waiting.
When you type the code into Microsoft's genuine login page, Microsoft sends the sign-in tokens — the digital keys that prove you are logged in — straight to the attacker. Because you completed a real Microsoft login, multi-factor authentication (the second step, like a phone prompt) doesn't stop it. You already approved it.
Once inside, ARToken upgrades that access to something called a Primary Refresh Token, a longer-lasting key that lets the criminal come back for weeks without triggering another login.
What can the criminals do once they're in?
Almost anything the real employee could do. Talos found tools inside ARToken to:
- Read the victim's entire Outlook mailbox and send emails as them.
- Browse and steal files from SharePoint and OneDrive, the company's shared drives.
- Watch several hijacked mailboxes at once for keywords like "invoice" or "wire transfer."
- Create inbox rules that automatically hide or delete replies, so the real user never notices the fraud emails going out under their name.
That last piece matters. It is how business email compromise — where criminals impersonate a colleague or supplier to redirect a payment — stays hidden long enough to work.
Talos also found phishing pages that change what they show based on where the victim is browsing from, and a feature that hosts fake SharePoint pages inside the attacker's own Microsoft 365 account. To the victim, the link looks like a normal Microsoft address.
Sekoia's follow-up research, cited by Talos and first reported by BleepingComputer, went further: EvilTokens now feeds stolen mailboxes into an AI system that scores how much money the victim company handles, then drafts fake payment emails and translates them into other languages for the operator.
What should ordinary users watch for?
Any email asking you to enter a short code on a Microsoft login page — especially one you didn't start yourself — should be treated as suspicious. Real Microsoft sign-ins begin on your device, not because someone emailed you a code.
If your job involves paying invoices, slow down on anything marked urgent from a vendor. Call the sender on a known number before changing bank details. That single habit defeats most of what ARToken is built to do.
Full technical detail is in the Cisco Talos writeup.



