A newly identified phishing tool named ARToken is enabling cybercriminals to hijack Microsoft 365 login sessions without needing to compromise passwords. This innovative tool exploits a legitimate Microsoft sign-in feature originally designed for devices lacking keyboards or browsers, misleading victims into unwittingly approving a login on behalf of the attacker.
How ARToken Facilitates Phishing Attacks
ARToken distinguishes itself by not only capturing login credentials but also offering a comprehensive dashboard with over eighty functionalities. This includes refreshing stolen tokens and accessing victims’ email inboxes, SharePoint, and OneDrive files. This capability transforms a single compromised login into an opportunity for further infiltration.
Cisco Talos, in a report shared with Cyber Security News, disclosed the discovery of ARToken during an investigation into phishing infrastructure related to an incident response case. The panel shares common elements with EvilTokens, a phishing-as-a-service platform previously documented by Sekoia and recognized by Microsoft as a significant threat.
The Scale and Impact of Device Code Attacks
By the time Microsoft acknowledged the widespread nature of these device code attacks, researchers had already linked around 500 Cloudflare Workers domains and over 2,000 phishing pages to the broader EvilTokens operation. Affiliates often target finance, HR, and logistics personnel using AI-generated messages tailored to deceive each recipient.
ARToken is believed to be a rebranded or closely related variant within the same criminal network, designed for affiliates seeking a more user-friendly interface and enhanced post-breach functionalities.
Phishing Tactics and Prevention
The attack usually begins with a fraudulent email impersonating a legitimate vendor contact, rather than creating a fictitious company. In one noted instance, the message mimicked an accounts payable contact and directed the recipient to what appeared to be a genuine SharePoint link associated with an outstanding invoice.
The link, while visually appearing legitimate, redirected users to a nearly identical, attacker-controlled workspace. Because the link resolved to a real SharePoint URL, it managed to bypass spam filters and gain the trust of cautious users.
Upon clicking, victims are led to a fake Microsoft device login page, where they are prompted to enter a device code at the official microsoft.com/devicelogin page. This familiar process allows attackers to capture a valid access token without requiring a password.
Advanced Evasion and Persistence Techniques
Before executing these steps, the phishing kit employs a seven-layer screening process to filter out security scanners and automated bots, ensuring only genuine human interaction triggers the attack. The stolen token can then be escalated to a primary refresh token, maintaining access even if the victim changes their password.
Operators can exploit this access to read the victim’s emails, send messages from their account, and create inbox rules that conceal evidence of the breach. Security teams are advised to treat unexpected device code prompts with skepticism and verify unusual requests through trusted channels.
In conclusion, organizations must strengthen their defenses against sophisticated phishing techniques like ARToken. Regular training and advanced threat detection practices are crucial in mitigating these evolving cyber threats.
