ARToken
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
4 techniques
Initial Access
The tool works by abusing a legitimate Microsoft sign in feature meant for devices without a keyboard or browser, tricking victims into approving a login on the attacker’s behalf. Once that approval happens, the attacker walks away with a working session token, no multi factor code required.
The attack usually begins with a convincing email impersonating a real vendor contact rather than inventing a fake company from scratch.
Execution
1 technique
Execution
Persistence
2 techniques
Persistence
The tool works by abusing a legitimate Microsoft sign in feature meant for devices without a keyboard or browser, tricking victims into approving a login on the attacker’s behalf. Once that approval happens, the attacker walks away with a working session token, no multi factor code required.
Privilege Escalation
2 techniques
Privilege Escalation
The tool works by abusing a legitimate Microsoft sign in feature meant for devices without a keyboard or browser, tricking victims into approving a login on the attacker’s behalf. Once that approval happens, the attacker walks away with a working session token, no multi factor code required.
Stealth
6 techniques
Stealth
It also employs advanced multi-layer anti-analysis techniques and encrypted payloads to evade detection and enhance phishing operations.
The message spoofed an accounts payable contact at a legitimate contractor and directed the recipient toward what looked like a genuine SharePoint file link tied to an outstanding invoice.
The tool works by abusing a legitimate Microsoft sign in feature meant for devices without a keyboard or browser, tricking victims into approving a login on the attacker’s behalf. Once that approval happens, the attacker walks away with a working session token, no multi factor code required.
Before any of that happens, the phishing kit runs a seven layer screening process designed to filter out security scanners and automated bots. It checks browser fingerprints, watches for natural mouse movement, and waits nearly a full second before activating.
Credential Access
5 techniques
Credential Access
ARToken operates as an affiliate of the EvilTokens phishing-as-a-service operation, which targets Microsoft 365 accounts and bypasses multi-factor authentication.
EvilTokens abuses Microsoft’s OAuth 2.0 Device Authorization Grant... The service captures a victim’s tokens during that exchange and bypasses multi-factor authentication.
Once entered, the backend silently captures a working access token without asking for a password.
Discovery
2 techniques
Discovery
Before any of that happens, the phishing kit runs a seven layer screening process designed to filter out security scanners and automated bots. It checks browser fingerprints, watches for natural mouse movement, and waits nearly a full second before activating.
Lateral Movement
1 technique
Lateral Movement
Collection
6 techniques
Collection
From there, operators can read the victim’s full email inbox, send messages appearing to come from the compromised account, and quietly create inbox rules that hide or forward evidence of the intrusion.
From there, operators can read the victim’s full email inbox, send messages appearing to come from the compromised account, and quietly create inbox rules that hide or forward evidence of the intrusion.
The panel gives criminal operators a dashboard packed with more than eighty functions, covering everything from refreshing stolen tokens to reading a victim’s entire email inbox.
The platform supports device code phishing, Primary Refresh Token (PRT) persistence, Business Email Compromise (BEC), SharePoint data exfiltration, and email access through a web-based dashboard.
IOCs tracked for this family
17 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A phishing panel/kit that abuses Microsoft OAuth device code flow to steal Microsoft 365 session tokens, refresh stolen tokens, access email inboxes, browse/download SharePoint and OneDrive files, create inbox rules, and escalate access into longer-lived primary refresh tokens for persistence.
A recently deployed phishing-as-a-service platform targeting Microsoft 365 that uses device code phishing and token theft to bypass MFA, capture and refresh tokens, escalate to Primary Refresh Tokens, maintain persistent access, and enable Business Email Compromise, inbox monitoring, email rule manipulation, and SharePoint/OneDrive data exfiltration.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.