New ARToken phishing platform targets Microsoft 365 users

 

New ARToken phishing platform targets Microsoft 365 users

A new phishing-as-a-service service, called ‘ARToken,’ is providing advanced tools designed to target Microsoft 365 accounts, according to security researchers at Cisco Talos who found the platform while investigating phishing activity. They say that ARToken can steal authentication tokens, maintain long-term access to accounts, and give attackers access to Outlook, SharePoint, and OneDrive data.

Researchers believe ARToken is linked to the EvilTokens phishing platform because both share similar technical features and use Microsoft's device code authentication process to trick victims into granting account access.

Cisco Talos also found that ARToken includes tools for business email compromise (BEC) attacks. Threat actors can read and send emails from compromised accounts, create inbox rules to hide their activity, monitor mailboxes for specific keywords, and download email attachments. The platform also allows criminals to browse and steal files stored in SharePoint and OneDrive.

The researchers found additional features that had not been seen in previous EvilTokens attacks, including monitoring multiple stolen accounts at once, sharing access between attackers, importing stolen authentication tokens from other sources, and using phishing pages that change based on a victim's location. The phishing emails linked to the platform often impersonate trusted vendors and use fake SharePoint pages to trick employees into revealing their credentials.

Back to the list