Cisco Talos found ARToken during an incident-response probe, exposing a React-based phishing panel with 80-plus API endpoints for device-code phishing, PRT persistence, mailbox access, BEC operations and SharePoint exfiltration.
Technical overlaps tie ARToken to EvilTokens: the same /api/device/start contract, the same clientMode "broker" flow for PRT capture, similar Cloudflare Workers lure deployment and matching token-persistence workflows.
A recovered April 20 lure showed how the campaign reaches victims: invoice emails spoofed a real Wisconsin contractor, failed SPF, DKIM and DMARC, and hid an attacker-controlled SharePoint link behind a legitimate-looking tenant name.
The kit adds a seven-layer anti-analysis system—mouse-movement checks, timing gates and XOR-encrypted payloads—then sends victims to microsoft.com/devicelogin with a 900-second code window.
Talos said the panel reveals a broader criminal toolkit than previously documented, including token import, shared operator access, inbox-rule manipulation, cross-mailbox keyword monitoring and full SharePoint file operations.
With AI now powering phishing-as-a-service, can traditional security measures keep pace with hyper-realistic attacks?
If attackers use Microsoft's own login page to bypass MFA, is any cloud service truly secure?
Inside ARToken: The 1,380% Surge in Device Code Phishing and the Evolution of Phishing-as-a-Service in 2026
Overview
ARToken has quickly become a major threat as a sophisticated Phishing-as-a-Service (PhaaS) platform, emerging in 2026 with advanced features and a user-friendly dashboard. Closely linked to the notorious EvilTokens platform—sharing infrastructure, API contracts, and operational patterns—ARToken is seen as either a direct evolution or a tightly integrated part of the EvilTokens ecosystem. EvilTokens was known for its large-scale, AI-powered phishing campaigns and automated device registration. Building on this foundation, ARToken offers over 80 malicious API endpoints, enabling affiliates to launch highly effective attacks and maintain persistent access to compromised accounts.