ARToken: New Phishing-as-a-Service Targets Microsoft 365 Accounts

ARToken: New Phishing-as-a-Service Targets Microsoft 365 Accounts

First seen 1 Jul 2026, 10:45 UTC CyberscoopBlog.Talosintelligenceblog.talosintelligene.com 83% similarity 69.5
Share:

Article Content

Browse articles
ThreatCluster

The ARToken platform, linked to the EvilTokens phishing-as-a-service operation, has been identified as a sophisticated tool for business email compromise (BEC) targeting Microsoft 365 accounts. It utilizes advanced techniques to bypass multi-factor authentication, with a reported increase in phishing attacks by 1,380% in early 2026. The platform employs AI to enhance its phishing lures and includes features like inbox rule manipulation. Cisco Talos researchers discovered that ARToken's phishing messages spoof legitimate vendor communications, making them more convincing. The campaign's scale and effectiveness have raised alarms, with Microsoft confirming the significant threat posed by these attacks. The platform is sold for $1,500 plus a monthly fee, indicating a commercial aspect to the cybercrime operation. Current investigations are ongoing to assess the full extent of the threat and its impact on various sectors.

Key Points: • ARToken is a phishing-as-a-service platform linked to the EvilTokens operation. • Phishing attacks using ARToken have surged by 1,380% in early 2026. • The platform employs AI for targeted lures and includes advanced features like inbox rule manipulation.

ThreatCluster AI

Timeline

2026-03-01
Sekoia publishes analysis of EvilTokens
Sekoia's research reveals EvilTokens' use of OAuth 2.0 to bypass MFA and capture tokens.
Blog.Talosintelligence
2026-04-01
Microsoft confirms scale of EvilTokens campaign
Microsoft acknowledges the significant threat posed by EvilTokens, noting higher success rates than previous attacks.
Blog.Talosintelligence
2026-07-01
Cisco Talos reports on ARToken platform
Cisco Talos identifies ARToken as a mature BEC-as-a-service platform with advanced phishing capabilities.
Cyberscoop

Community

Browse all →