Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Malware

ARToken

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

MITRE ATT&CK

Techniques & procedures

26 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1586.002Email AccountsEvidence1

The From line shows the vendor’s genuine domain, and Reply-To quietly points somewhere else, routing any response away from the impersonated company. SPF, DKIM, and DMARC all fail on the message.

Initial Access

4 techniques
T1078Valid AccountsEvidence2

The tool works by abusing a legitimate Microsoft sign in feature meant for devices without a keyboard or browser, tricking victims into approving a login on the attacker’s behalf. Once that approval happens, the attacker walks away with a working session token, no multi factor code required.

T1566PhishingEvidence6

The attack usually begins with a convincing email impersonating a real vendor contact rather than inventing a fake company from scratch.

T1566.001Spearphishing AttachmentEvidence1

Phishing lures observed are targeted, mimicking legitimate vendor communications, such as an outstanding invoice inquiry, to trick accounts payable personnel.

T1566.002Spearphishing LinkEvidence4

The visible link text pointed to the vendor’s real SharePoint tenant, but the actual destination quietly redirected to a nearly identical, attacker controlled workspace.

Execution

1 technique
T1204User ExecutionEvidence1

The later checks wait for signs of a person, holding the payload until either a run of mouse movement or a screen touch registers and a short delay after load has passed.

Persistence

2 techniques
T1078Valid AccountsEvidence2

The tool works by abusing a legitimate Microsoft sign in feature meant for devices without a keyboard or browser, tricking victims into approving a login on the attacker’s behalf. Once that approval happens, the attacker walks away with a working session token, no multi factor code required.

T1098.002Additional Email Delegate PermissionsEvidence2

allowing operators to monitor inboxes, manipulate email rules to suppress evidence of the intrusion

Privilege Escalation

2 techniques
T1078Valid AccountsEvidence2

The tool works by abusing a legitimate Microsoft sign in feature meant for devices without a keyboard or browser, tricking victims into approving a login on the attacker’s behalf. Once that approval happens, the attacker walks away with a working session token, no multi factor code required.

T1098.002Additional Email Delegate PermissionsEvidence2

allowing operators to monitor inboxes, manipulate email rules to suppress evidence of the intrusion

Stealth

6 techniques
T1027Obfuscated Files or InformationEvidence2

It also employs advanced multi-layer anti-analysis techniques and encrypted payloads to evade detection and enhance phishing operations.

T1036MasqueradingEvidence2

The message spoofed an accounts payable contact at a legitimate contractor and directed the recipient toward what looked like a genuine SharePoint file link tied to an outstanding invoice.

T1070Indicator RemovalEvidence1

inbox rule creation for forwarding and deleting messages

T1078Valid AccountsEvidence2

The tool works by abusing a legitimate Microsoft sign in feature meant for devices without a keyboard or browser, tricking victims into approving a login on the attacker’s behalf. Once that approval happens, the attacker walks away with a working session token, no multi factor code required.

T1497Virtualization/Sandbox EvasionEvidence4

Before any of that happens, the phishing kit runs a seven layer screening process designed to filter out security scanners and automated bots. It checks browser fingerprints, watches for natural mouse movement, and waits nearly a full second before activating.

T1564Hide ArtifactsEvidence1

inbox rule creation for forwarding and deleting messages

Credential Access

5 techniques
T1111Multi-Factor Authentication InterceptionEvidence2

ARToken operates as an affiliate of the EvilTokens phishing-as-a-service operation, which targets Microsoft 365 accounts and bypasses multi-factor authentication.

T1528Steal Application Access TokenEvidence1

EvilTokens abuses Microsoft’s OAuth 2.0 Device Authorization Grant... The service captures a victim’s tokens during that exchange and bypasses multi-factor authentication.

T1539Steal Web Session CookieEvidence1

Once entered, the backend silently captures a working access token without asking for a password.

T1557Adversary-in-the-MiddleEvidence1

The tool works by abusing a legitimate Microsoft sign in feature meant for devices without a keyboard or browser, tricking victims into approving a login on the attacker’s behalf.

T1649Steal or Forge Authentication CertificatesEvidence3

The platform supports device code phishing, Primary Refresh Token (PRT) persistence, Business Email Compromise (BEC), SharePoint data exfiltration, and email access through a web-based dashboard.

Discovery

2 techniques
T1497Virtualization/Sandbox EvasionEvidence4

Before any of that happens, the phishing kit runs a seven layer screening process designed to filter out security scanners and automated bots. It checks browser fingerprints, watches for natural mouse movement, and waits nearly a full second before activating.

T1526Cloud Service DiscoveryEvidence1

The panel gives criminal operators a dashboard packed with more than eighty functions, covering everything from refreshing stolen tokens to reading a victim’s entire email inbox. It even offers tools to browse and download files from SharePoint and OneDrive.

Lateral Movement

1 technique
T1550Use Alternate Authentication MaterialEvidence1

ARToken can escalate that initial access into a longer lived credential known as a primary refresh token, which keeps working even after the victim changes their password.

Collection

6 techniques
T1114Email CollectionEvidence4

From there, operators can read the victim’s full email inbox, send messages appearing to come from the compromised account, and quietly create inbox rules that hide or forward evidence of the intrusion.

T1114.003Email Forwarding RuleEvidence2

From there, operators can read the victim’s full email inbox, send messages appearing to come from the compromised account, and quietly create inbox rules that hide or forward evidence of the intrusion.

T1185Browser Session HijackingEvidence2

The panel gives criminal operators a dashboard packed with more than eighty functions, covering everything from refreshing stolen tokens to reading a victim’s entire email inbox.

T1213Data from Information RepositoriesEvidence2

The platform supports device code phishing, Primary Refresh Token (PRT) persistence, Business Email Compromise (BEC), SharePoint data exfiltration, and email access through a web-based dashboard.

T1530Data from Cloud StorageEvidence1

conduct full-scale exploration and data exfiltration from the victim’s SharePoint and OneDrive environments.

T1557Adversary-in-the-MiddleEvidence1

The tool works by abusing a legitimate Microsoft sign in feature meant for devices without a keyboard or browser, tricking victims into approving a login on the attacker’s behalf.

Other

2 techniques
T1562Impair DefensesEvidence1

The platform also boasts a seven-layer anti-analysis system for evasion.

T1656ImpersonationEvidence1

the email lure abused a real vendor relationship between a US life-sciences company and a legitimate plumbing and fire-protection contractor

INDICATORS OF COMPROMISE

IOCs tracked for this family

17 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
17 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in apptoday
domain●●●●●●●●●●●●View more in apptoday
domain●●●●●●●●●●●●View more in apptoday
domain●●●●●●●●●●●●View more in apptoday
domain●●●●●●●●●●●●View more in apptoday
domain●●●●●●●●●●●●View more in apptoday
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
IOC matching17

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping26

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.