A new phishing-as-a-service platform called ARToken is an affiliate of EvilTokens, targeting Microsoft 365 accounts with a toolkit that bypasses MFA. Researchers reveal how it works and what you can do to stay safe.
A new phishing-as-a-service (PhaaS) platform called "ARToken" has surfaced, and it's basically an affiliate version of the EvilTokens phishing kit. This thing is built to go after Microsoft 365 accounts, and researchers just got a good look at how it works.
Think of it like this: EvilTokens is the main operation, and ARToken is a reseller program. Anyone can pay a fee, get access to the toolkit, and start launching phishing attacks against Microsoft 365 users. It's a disturbing glimpse into how organized cybercrime has become.
### What Makes ARToken Dangerous?
ARToken isn't your average phishing page. It's a full-blown toolkit that automates the whole process. Here's what it does:
- **Bypasses multi-factor authentication (MFA):** This is the big one. It uses a technique called adversary-in-the-middle (AitM) to steal session cookies, essentially tricking the system into thinking the attacker is the real user.
- **Targets Microsoft 365 specifically:** The whole thing is designed to look like a legitimate Microsoft login page, down to the branding and layout.
- **Offers a subscription model:** Attackers pay a monthly fee (prices range from $100 to $500 per month, depending on features) to use the platform.
- **Provides analytics and logs:** The dashboard shows how many credentials were stolen, which targets were hit, and other metrics. It's like a business dashboard for criminals.
> "This isn't a script kiddie operation. It's a professional service with customer support and regular updates. The people behind ARToken are treating phishing like a business." โ Cybersecurity researcher, speaking on condition of anonymity.
### How the Attack Works
The attack chain is pretty straightforward, but effective. Here's the step-by-step:
1. **The bait:** The attacker sends a phishing email that looks like it's from Microsoft, often about a security alert or a shared document.
2. **The redirect:** The link in the email leads to a fake Microsoft 365 login page hosted on ARToken's infrastructure.
3. **The steal:** When the victim enters their credentials and the MFA code, ARToken captures everything in real time. It also grabs the session cookie.
4. **The exploit:** The attacker uses that session cookie to log into the real Microsoft 365 account without needing a password again. They're in, and the victim has no idea.
This is why MFA alone isn't enough anymore. Attackers have adapted, and tools like ARToken are making it easy for anyone to bypass it.
### Who Should Be Worried?
If your organization uses Microsoft 365, this affects you. Period. Small businesses are especially vulnerable because they often lack the resources for advanced security training and tools. But even large enterprises with dedicated security teams have been hit.
The key takeaway is that phishing is evolving faster than most defenses. ARToken is just one example of a growing trend where cybercriminals offer their tools as a service, lowering the barrier to entry for anyone who wants to launch an attack.
### How to Protect Yourself and Your Team
You can't just rely on technology to solve this. It takes a combination of awareness, tools, and practices. Here are some practical steps:
- **Use phishing-resistant MFA:** Look into FIDO2 security keys or certificate-based authentication. These can't be intercepted by AitM attacks.
- **Train your people:** Run regular phishing simulations. Teach your team to scrutinize every email, especially ones that ask for login credentials.
- **Monitor for unusual activity:** Set up alerts for logins from new locations, devices, or IP addresses. If a user's account suddenly logs in from a different state or country, that's a red flag.
- **Implement conditional access policies:** Restrict access based on device compliance, location, and risk level. This can block attackers even if they have valid credentials.
### The Bottom Line
ARToken is a reminder that the bad guys are getting smarter. They're building businesses around stealing data, and they're making it easier than ever for others to join in. Staying safe means staying vigilant, using the right tools, and never assuming you're not a target.
If you're responsible for security in any capacity, take this seriously. The threat landscape is shifting, and the old playbook won't cut it anymore.