EvilTokens' ARToken Exposes Microsoft 365 Phishing Kit

ยท
Listen to this article~4 min

ARToken, a new phishing-as-a-service platform, exposes EvilTokens' toolkit for compromising Microsoft 365 accounts, even bypassing MFA. Learn how this AiTM attack works and how to protect your business.

A new phishing-as-a-service (PhaaS) platform called "ARToken" has emerged, and it's giving security researchers an inside look at a pretty sophisticated toolkit aimed at Microsoft 365 users. Think of it like a shady franchise operation, where ARToken acts as an affiliate of the larger EvilTokens network. This means anyone can essentially rent the tools to launch convincing phishing attacks, all without needing much technical know-how. ### What Exactly Is ARToken? So what is ARToken? It's a service that provides everything a scammer needs to steal Microsoft 365 credentials. We're talking about pre-built login pages that look just like the real thing, plus automated systems to send out phishing emails and collect stolen info. The scary part? It's designed to bypass multi-factor authentication (MFA) by using a technique called adversary-in-the-middle (AiTM). Basically, it sits between the user and the real Microsoft login, so even if you enter a code, the attacker grabs it. ### How the Attack Works The attack starts with a seemingly legit email, maybe about a shared document or a security alert. When you click the link, you land on a page that looks exactly like Microsoft's login screen. But here's the twist: that page is actually a proxy sending your every keystroke straight to the hacker. Even your MFA code gets relayed, letting the attacker log in as you. This is why MFA alone isn't a magic bullet anymore. ### Who's at Risk? This toolkit is especially dangerous for businesses and professionals who rely on Microsoft 365 for email, files, and collaboration. Think about it: if a CEO's account gets compromised, the attacker can send fake invoices, access sensitive contracts, or even set up email rules to forward confidential data. And since the phishing pages are hosted on legitimate-looking domains, they often fly under the radar of basic security filters. ### What Can You Do? - **Enable conditional access policies** in your Microsoft 365 admin center. This can block logins from unusual locations or devices. - **Use phishing-resistant MFA**, like FIDO2 security keys. These can't be intercepted by AiTM attacks. - **Train your team** to spot red flags: urgent language, mismatched URLs, or requests for credentials. A quick hover over a link can reveal a lot. - **Monitor sign-in logs** for anomalies, like logins from unfamiliar IP addresses or at odd hours. ### The Big Picture ARToken is just one example of how cybercrime is becoming a service industry. These platforms lower the barrier for entry, meaning more attacks and more victims. But awareness is your best defense. By understanding how these attacks work, you can take simple steps to protect yourself and your organization. Stay sharp, and don't let a fake login page catch you off guard.