Phishing‑as‑a‑Service Platform ARToken Enables Credential Theft from Microsoft 365 via Device‑Code Phishing
What Happened — Researchers at Cisco Talos uncovered a new phishing‑as‑a‑service (PhaaS) platform, “ARToken,” that extends the EvilTokens toolkit. The service exposes 80+ API endpoints, allowing attackers to harvest Microsoft 365 authentication tokens, hijack Primary Refresh Tokens (PRTs), and gain persistent access to Outlook, SharePoint, and OneDrive. The platform also automates BEC operations and can deploy phishing infrastructure through Cloudflare Workers.
Why It Matters for Compliance & Audit Readiness
- The scenario directly tests the effectiveness of SOC 2 Access Control criteria (CC6.1, CC6.2) that require strong authentication, MFA enforcement, and monitoring of privileged token usage.
- Continuous evidence collection on token issuance and anomalous API calls is essential to demonstrate due diligence during a SOC 2 audit.
- Security awareness programs must address device‑code phishing, a technique that can bypass MFA and compromise enterprise accounts.
Who Is Affected — Cloud‑based SaaS providers, enterprise IT departments, and any organization that relies on Microsoft 365 for email, collaboration, and file storage (e.g., finance, professional services, education).
Recommended Actions
- Map token‑management processes to SOC 2 access‑control controls; log all OAuth device‑code flows and PRT activity.
- Deploy real‑time anomaly detection for token issuance and enforce conditional access policies that flag atypical device‑code requests.
- Refresh security‑awareness training to include device‑code phishing examples and MFA bypass mitigation.
Source: BleepingComputer
Technical Notes — The toolkit leverages Microsoft’s OAuth 2.0 Device Authorization Grant, stealing Primary Refresh Tokens via the POST /api/device/start endpoint. It automates BEC campaign generation with AI/LLMs and can be deployed via Cloudflare Workers. No public CVE; the threat is a service‑level capability. Source: same as above