Blog.Talosintelligence
ARToken: New Phishing-as-a-Service Targets Microsoft 365 Accounts
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
The ARToken platform, linked to the EvilTokens phishing-as-a-service operation, has been identified as a sophisticated tool for business email compromise (BEC) targeting Microsoft 365 accounts. It utilizes advanced techniques to bypass multi-factor authentication, with a reported increase in phishing attacks by 1,380% in early 2026. The platform employs AI to enhance its phishing lures and includes features like inbox rule manipulation. Cisco Talos researchers discovered that ARToken's phishing messages spoof legitimate vendor communications, making them more convincing. The campaign's scale and effectiveness have raised alarms, with Microsoft confirming the significant threat posed by these attacks. The platform is sold for $1,500 plus a monthly fee, indicating a commercial aspect to the cybercrime operation. Current investigations are ongoing to assess the full extent of the threat and its impact on various sectors.
Key Points: • ARToken is a phishing-as-a-service platform linked to the EvilTokens operation. • Phishing attacks using ARToken have surged by 1,380% in early 2026. • The platform employs AI for targeted lures and includes advanced features like inbox rule manipulation.