CISCO TALOS BLOG
ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365
HIGH Microsoft 365 Primary Refresh Token device code phishing BEC
Strategic summary
ARToken is a fully automated PhaaS panel with 80+ API endpoints for targeted Microsoft 365 phishing, including persistent token acquisition via Microsoft Authentication Broker and SharePoint exfiltration , an escalated threat model compared to earlier EvilTokens reporting.
Relevance for you
ARToken is a fully automated PhaaS panel with 80+ API endpoints for targeted Microsoft 365 phishing, including persistent token acquisition via Microsoft Authentication Broker and SharePoint exfiltration , an escalated threat model compared to earlier EvilTokens reporting.
Risk score
Review required 12
- cvss base
- 0.00
- kev bonus
- 0.00
- epss bonus
- 0.00
- poc bonus
- 15.00
- raw before weight
- 15.00
- industry weight
- 1.21
- freshness factor
- 1.00
- exploitability factor
- 1.00
- days old
- 0.00
- vendor mismatch penalty
- 0.00
- consensus penalty
- -8.00
Path: operational
Consensus check
The pipeline self-checks before delivery. These rules lowered the score:
-
TTP_MISMATCHATT&CK techniques in text absent from structured mapping −8
- Consensus penalty:
- −8.0
- Total penalty:
- −8.0
MITRE ATT&CK mapping
5 TTPsProcedure details
| Technique | Tactic | Procedure | Conf. | Source |
|---|---|---|---|---|
| T1566.002 | Technique T1566.002 explicitly referenced in source: Cisco Talos Blog | high | primary | |
| T1528 | Technique T1528 explicitly referenced in source: Cisco Talos Blog | high | primary | |
| T1098.001 | Technique T1098.001 explicitly referenced in source: Cisco Talos Blog | high | primary | |
| T1114.002 | Technique T1114.002 explicitly referenced in source: Cisco Talos Blog | high | primary | |
| T1550.001 | Technique T1550.001 explicitly referenced in source: Cisco Talos Blog | high | primary |