Phishing service steals Microsoft 365 logins and survives MFA

Cisco Talos has pulled back the curtain on a phishing-as-a-service operation that lets criminals hijack Microsoft 365 accounts and stay in them even when multi-factor authentication is switched on. The platform, branded "ARToken," shares infrastructure and code with EvilTokens, a service documented earlier this year by Sekoia and Microsoft, and exposes more than 80 API endpoints for stealing tokens, reading email, and running invoice fraud.

How the attack works

ARToken abuses Microsoft's OAuth device-code sign-in flow, the same feature legitimate apps use to log in on TVs and consoles. A victim is tricked into approving a device code, and the attacker captures the resulting tokens without ever seeing a password, sidestepping MFA entirely. The kit then reaches for a Primary Refresh Token, a long-lived credential that keeps the intruder inside the tenant, and can register a rogue device for lasting access. It is the same device-code abuse seen when Amazon disrupted an APT29 watering-hole campaign earlier this year.

The lure in the wild

Talos recovered the actual emails behind one campaign. Rather than spraying random targets, the operators spoofed an accounts-payable contact at a real Wisconsin contractor and wrote to accounts-payable staff at a US life-sciences company, asking about "outstanding invoices," the kind of message finance teams are trained to act on. SPF, DKIM, and DMARC all failed, a Reply-To header quietly redirected any response to an unrelated domain, and the link pointed to a look-alike SharePoint tenant. Because the destination was still a genuine sharepoint.com address, it inherited SharePoint's clean reputation.

Why it matters

ARToken shows how mature the criminal phishing market has become, with subscription pricing (reportedly 1,500 dollars up front plus 500 dollars a month for EvilTokens), Telegram alerts on every captured token, and an AI-assisted business email compromise pipeline that scores mailboxes and drafts tailored fraud. The kit also runs a seven-layer anti-analysis system that blocks headless browsers and automation tools to dodge security scanners. Defenders should restrict or closely monitor the device-code sign-in flow in Entra ID, alert on new device registrations, and treat invoice-themed SharePoint links as suspect even when the domain looks legitimate.

Indicators of compromise

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Read the full analysis on IntelFusions