Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Microsoft 365 Under Threat: Phishing Panel Exploits OAuth Flow

Microsoft 365 Under Threat: Phishing Panel Exploits OAuth Flow

Posted on July 2, 2026 By CWS

A newly identified phishing tool named ARToken is enabling cybercriminals to hijack Microsoft 365 login sessions without needing to compromise passwords. This innovative tool exploits a legitimate Microsoft sign-in feature originally designed for devices lacking keyboards or browsers, misleading victims into unwittingly approving a login on behalf of the attacker.

How ARToken Facilitates Phishing Attacks

ARToken distinguishes itself by not only capturing login credentials but also offering a comprehensive dashboard with over eighty functionalities. This includes refreshing stolen tokens and accessing victims’ email inboxes, SharePoint, and OneDrive files. This capability transforms a single compromised login into an opportunity for further infiltration.

Cisco Talos, in a report shared with Cyber Security News, disclosed the discovery of ARToken during an investigation into phishing infrastructure related to an incident response case. The panel shares common elements with EvilTokens, a phishing-as-a-service platform previously documented by Sekoia and recognized by Microsoft as a significant threat.

The Scale and Impact of Device Code Attacks

By the time Microsoft acknowledged the widespread nature of these device code attacks, researchers had already linked around 500 Cloudflare Workers domains and over 2,000 phishing pages to the broader EvilTokens operation. Affiliates often target finance, HR, and logistics personnel using AI-generated messages tailored to deceive each recipient.

ARToken is believed to be a rebranded or closely related variant within the same criminal network, designed for affiliates seeking a more user-friendly interface and enhanced post-breach functionalities.

Phishing Tactics and Prevention

The attack usually begins with a fraudulent email impersonating a legitimate vendor contact, rather than creating a fictitious company. In one noted instance, the message mimicked an accounts payable contact and directed the recipient to what appeared to be a genuine SharePoint link associated with an outstanding invoice.

The link, while visually appearing legitimate, redirected users to a nearly identical, attacker-controlled workspace. Because the link resolved to a real SharePoint URL, it managed to bypass spam filters and gain the trust of cautious users.

Upon clicking, victims are led to a fake Microsoft device login page, where they are prompted to enter a device code at the official microsoft.com/devicelogin page. This familiar process allows attackers to capture a valid access token without requiring a password.

Advanced Evasion and Persistence Techniques

Before executing these steps, the phishing kit employs a seven-layer screening process to filter out security scanners and automated bots, ensuring only genuine human interaction triggers the attack. The stolen token can then be escalated to a primary refresh token, maintaining access even if the victim changes their password.

Operators can exploit this access to read the victim’s emails, send messages from their account, and create inbox rules that conceal evidence of the breach. Security teams are advised to treat unexpected device code prompts with skepticism and verify unusual requests through trusted channels.

In conclusion, organizations must strengthen their defenses against sophisticated phishing techniques like ARToken. Regular training and advanced threat detection practices are crucial in mitigating these evolving cyber threats.

Cyber Security News Tags:ARToken, Cisco Talos, Cloudflare Workers, cyber threats, Cybersecurity, device code flow, EvilTokens, Microsoft 365, OAuth, Phishing, Security, token theft

Post navigation

Previous Post: AsyncRAT Exploits Remote Tools for Hidden Access
Next Post: Google Disrupts Massive NetNut Proxy Network

Related Posts

What Is Out-of-Bounds Read and Write Vulnerability? What Is Out-of-Bounds Read and Write Vulnerability? Cyber Security News
Multiple vulnerabilities in Cisco Unified CCX Allow Attackers to Execute Arbitrary Commands Multiple vulnerabilities in Cisco Unified CCX Allow Attackers to Execute Arbitrary Commands Cyber Security News
Amazon EKS Vulnerabilities Exposes Sensitive AWS Credentials and Escalate Privileges Amazon EKS Vulnerabilities Exposes Sensitive AWS Credentials and Escalate Privileges Cyber Security News
CISA Warns of Apple WebKit Vulnerability 0-Day Vulnerability Exploited in Attacks CISA Warns of Apple WebKit Vulnerability 0-Day Vulnerability Exploited in Attacks Cyber Security News
Hackers Replace ‘m’ with ‘rn’ in Microsoft(.)com to Steal Users’ Login Credentials Hackers Replace ‘m’ with ‘rn’ in Microsoft(.)com to Steal Users’ Login Credentials Cyber Security News
Microsoft Secure Boot Certificate Expiry Impacts Billions Microsoft Secure Boot Certificate Expiry Impacts Billions Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Ransomware Groups Exploit Citrix Vulnerability
  • New Malware Campaign Exploits TryCloudflare and Python
  • Google Disrupts Massive NetNut Proxy Network
  • Microsoft 365 Under Threat: Phishing Panel Exploits OAuth Flow
  • AsyncRAT Exploits Remote Tools for Hidden Access

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Ransomware Groups Exploit Citrix Vulnerability
  • New Malware Campaign Exploits TryCloudflare and Python
  • Google Disrupts Massive NetNut Proxy Network
  • Microsoft 365 Under Threat: Phishing Panel Exploits OAuth Flow
  • AsyncRAT Exploits Remote Tools for Hidden Access

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark