ARToken Phishing Kit Bypasses MFA with PRT Persistence Trick
A newly discovered phishing-as-a-service (PhaaS) platform dubbed “ARToken” shares deep infrastructure and code-level overlaps with EvilTokens, but expands significantly on post-compromise capabilities against Microsoft 365 environments, according to Cisco Talos research.
ARToken operates as a React single-page application (SPA) exposing more than 80 API endpoints, covering device-code phishing, Primary Refresh Token (PRT) persistence, mailbox takeover, business email compromise (BEC) workflows, and SharePoint exfiltration.
Affiliates access these capabilities through a polished dashboard and a companion Windows utility called “ARTBrowser”.
ARToken Phishing Kit Bypasses MFA
Talos traced the panel to “dashboard-bl.pamconj[.]com,” with the associated command-and-control API operating at “spx.pamconj[.]com,” and phishing lures deployed through Cloudflare Workers accounts.

Because SPAs ship all client-side logic to the browser, researchers extracted and reverse-engineered a 1.7MB JavaScript bundle without authenticating, revealing the full API surface including device-code, PRT setup, refresh, and renewal endpoints, alongside token export/import, inbox rule manipulation, and mass BCC sending functions.
Several technical fingerprints link ARToken to EvilTokens, first documented by Sekoia and Microsoft in early 2026. Sekoia’s original research abused Microsoft’s OAuth 2.0 Device Authorization Grant (RFC 8628) to capture victim tokens while bypassing MFA entirely, and had catalogued roughly 500 Cloudflare Workers domains and over 1,000 phishing pages by the time of Microsoft’s publication.
ARToken’s device-code endpoint returns an identical JSON contract to the one Sekoia documented, and both platforms use a non-standard “clientMode: broker” flag that triggers Microsoft’s Authentication Broker (WAM) flow to acquire PRTs enabling attacker persistence that survives password resets.
ARToken introduces a markedly more sophisticated evasion stack than the server-side X-Antibot-Token mechanism documented in prior EvilTokens research.
Talos identified a seven-layer anti-analysis system combining client-side behavioral verification including User-Agent checks, feature fingerprinting, and interaction telemetry with XOR-encrypted payloads decrypted at runtime, complicating static detection efforts.
Talos recovered two near-identical invoice-query messages sent roughly four minutes apart on April 20, 2026, spoofing an accounts-payable contact at a legitimate Wisconsin contractor and reaching a payments recipient at a U.S. life-sciences company.
Researcher Michael Kelley noted the tradecraft was “targeted, not spray-and-pray,” abusing a real vendor relationship rather than inventing a sender.
The “from” header displayed the contractor’s genuine domain, while the reply-to address quietly redirected responses elsewhere, and victims were ultimately guided to microsoft.com/devicelogin.
Beyond initial token capture, ARToken’s panel revealed a comprehensive post-exploitation toolkit featuring full Outlook inbox read access, email sending as the victim, inbox rule creation for message forwarding and deletion, and keyword-based monitoring across all compromised accounts.
Kelley wrote that these features indicate “the platform is more mature than a simple device code phishing kit it is a complete BEC operations environment”.
The ARToken panel has since gone dark, with Kelley noting Talos “did not coordinate a takedown, but the panel is no longer accessible; likely moved”.
Security teams should monitor for anomalous device registration events, audit PRT lifecycles, enforce revocation policies, and treat unexpected SharePoint links with heightened scrutiny even when they appear legitimate.
No Comment! Be the first one.