HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Phishing‑as‑a‑Service Platform ARToken Enables Credential Theft from Microsoft 365 via Device‑Code Phishing

Cisco Talos uncovered ARToken, a phishing‑as‑a‑service platform that harvests Microsoft 365 authentication tokens and automates BEC campaigns. The threat highlights gaps in SOC 2 access‑control controls and the need for continuous token‑monitoring evidence.

LiveThreat™ Intelligence · 📅 July 04, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
bleepingcomputer.com

Phishing‑as‑a‑Service Platform ARToken Enables Credential Theft from Microsoft 365 via Device‑Code Phishing

What Happened — Researchers at Cisco Talos uncovered a new phishing‑as‑a‑service (PhaaS) platform, “ARToken,” that extends the EvilTokens toolkit. The service exposes 80+ API endpoints, allowing attackers to harvest Microsoft 365 authentication tokens, hijack Primary Refresh Tokens (PRTs), and gain persistent access to Outlook, SharePoint, and OneDrive. The platform also automates BEC operations and can deploy phishing infrastructure through Cloudflare Workers.

Why It Matters for Compliance & Audit Readiness

  • The scenario directly tests the effectiveness of SOC 2 Access Control criteria (CC6.1, CC6.2) that require strong authentication, MFA enforcement, and monitoring of privileged token usage.
  • Continuous evidence collection on token issuance and anomalous API calls is essential to demonstrate due diligence during a SOC 2 audit.
  • Security awareness programs must address device‑code phishing, a technique that can bypass MFA and compromise enterprise accounts.

Who Is Affected — Cloud‑based SaaS providers, enterprise IT departments, and any organization that relies on Microsoft 365 for email, collaboration, and file storage (e.g., finance, professional services, education).

Recommended Actions

  • Map token‑management processes to SOC 2 access‑control controls; log all OAuth device‑code flows and PRT activity.
  • Deploy real‑time anomaly detection for token issuance and enforce conditional access policies that flag atypical device‑code requests.
  • Refresh security‑awareness training to include device‑code phishing examples and MFA bypass mitigation.

Source: BleepingComputer

Technical Notes — The toolkit leverages Microsoft’s OAuth 2.0 Device Authorization Grant, stealing Primary Refresh Tokens via the POST /api/device/start endpoint. It automates BEC campaign generation with AI/LLMs and can be deployed via Cloudflare Workers. No public CVE; the threat is a service‑level capability. Source: same as above

📰 Original Source
https://www.bleepingcomputer.com/news/security/artoken-phaas-exposes-eviltokens-microsoft-365-phishing-toolkit/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →