A newly identified phishing panel called ARToken is giving criminal operators an easy way to steal Microsoft 365 session tokens without ever touching a victim’s password. Instead of harvesting credentials directly, the kit abuses a legitimate Microsoft sign-in feature designed for devices without a keyboard or browser, tricking victims into approving what looks like a routine login.
A Password-Free Path to Account Takeover
Cisco Talos said it identified the panel while investigating phishing infrastructure tied to an incident response case, eventually tracing the code back to a live management dashboard that exposed its own toolkit publicly. Talos found that ARToken shares infrastructure, coding patterns, and backend commands with EvilTokens, a phishing-as-a-service platform documented earlier this year by researchers at Sekoia and later confirmed by Microsoft as a large-scale threat. By the time Microsoft acknowledged the scale of these device-code attacks, researchers had already tracked roughly 500 Cloudflare Workers domains and more than 2,000 phishing pages tied to the broader operation, with affiliates targeting finance, HR, and logistics staff using AI-generated, victim-tailored lures.
ARToken appears to be a rebranded or closely related offshoot of that ecosystem, built for affiliates who want a more polished interface and deeper post-breach tooling. Once an operator has a stolen token, the panel provides a dashboard with more than eighty functions, including refreshing expired tokens, reading a victim’s full inbox, and browsing or downloading files directly from SharePoint and OneDrive.
How the Attack Plays Out
The lure typically impersonates a real vendor contact rather than inventing a fictitious company. In one case Talos examined, the email spoofed an accounts payable contact at a legitimate contractor and pointed the recipient to what appeared to be a genuine SharePoint link tied to an outstanding invoice. The visible link text resolved to the vendor’s real SharePoint tenant, but silently redirected to a near-identical, attacker-controlled workspace, letting the message slip past spam filters and cautious readers because the domain itself checked out.
From there, victims land on a spoofed Microsoft device login page that displays a device code and asks them to enter it at the genuine microsoft.com/devicelogin address, a flow that feels routine to anyone who has set up a smart TV or streaming app. Once entered, the backend silently captures a working access token, no password or MFA code required.
Built-In Evasion and Long-Term Persistence
Before the phishing page even loads fully, the kit runs a seven-layer screening process meant to filter out automated scanners: checking browser fingerprints, watching for natural mouse movement, and introducing a delay of nearly a full second to mimic human behavior.
The stolen token is only the starting point. ARToken can escalate it into a longer-lived credential known as a primary refresh token, which continues to work even after the victim changes their password, a key difference from older phishing techniques that a simple password reset would neutralize. From there, operators can read a victim’s email, send messages that appear to come from the compromised account, and quietly create inbox rules that hide or forward evidence of the intrusion.
Indicators and Recommendations
Talos published several indicators tied to the observed campaign, including management-panel domains, a Cloudflare Workers deployment used for lures, spoofed SharePoint tenant URLs, and a hardcoded operator identifier embedded in the kit’s device-code API calls.
- Treat any unexpected device code prompt as suspicious, especially outside of setting up a new streaming or IoT device.
- Confirm unusual invoice, contract, or document requests through a separate, already-trusted communication channel.
- Monitor for anomalous OAuth device code flow activity and primary refresh token issuance in Microsoft 365 sign-in logs.
- Educate finance, HR, and logistics staff specifically, since these roles are being disproportionately targeted by AI-tailored lures.