ARToken PhaaS reveals EvilTokens Microsoft 365 toolkit
🛡️ Cisco Talos uncovered a React-based ARToken management panel exposing 80+ API endpoints and client-side code that reveals expanded phishing capabilities. The platform, tied to the EvilTokens ecosystem, automates Microsoft 365 account compromise by stealing authentication tokens, obtaining persistent Primary Refresh Tokens (PRTs), and accessing Outlook, SharePoint, and OneDrive. ARToken deploys Cloudflare Workers, supports multi-tenant affiliate operations, and includes tools for BEC automation and mailbox monitoring.
