ARToken phishing panel shows EvilTokens is running a full BEC machine
Cisco Talos traced how a targeted email lure leads to token theft, persistence, and Outlook-level inbox control.

Cisco Talos incident responders described ARToken, a phishing-as-a-service panel that appears to be an EvilTokens customer, sharing platform infrastructure and operational patterns. The discovery expands EvilTokens from device-code phishing into a complete BEC operations environment, with implications for security teams and decision-makers managing Microsoft 365 risk.
Cisco Talos says the EvilTokens device-code phishing kit is not just “one more” MFA bypass tool. In new findings, researchers uncovered a phishing-as-a-service operator panel branded “ARToken” that appears to be an EvilTokens customer, tied to the same platform infrastructure, API contracts, and deployment and operational models. The core consequence for executives is simple: this campaign activity looks more like a staffed business email compromise operation than a standalone phishing kit.
Talos also answered a key missing question from earlier reporting: “how an ARToken lure actually reaches an inbox.” Cisco Talos recovered two near-identical messages sent roughly four minutes apart on April 20, 2026, that initiate the chain. Instead of loud, spray-and-pray emails, Talos described tradecraft as targeted, and it reached the victim by abusing a real vendor relationship between a US life-sciences company and a legitimate plumbing and fire-protection contractor. The email plays the part of normal business paperwork, using an outstanding-invoice lure and claiming “the following invoices appear to still be outstanding.”
The details matter because this is exactly where many defenses fail. The message’s “from” header presents the contractor’s real domain, and even the visible anchor text points to the vendor’s genuine SharePoint tenant. That means the email looks like it belongs to a legitimate workflow. But the hidden part is what drives the compromise: the reply-to redirects replies to an unrelated domain, and the actual hyperlink “href” points to a near-identical copycat tenant under a different, attacker-controlled Microsoft 365 workspace. Because the destination is still hosted on a legitimate sharepoint.com host, it is less likely to be flagged as a phish.
From a decision-making standpoint, this “legitimate hosting, malicious tenant” pattern is the uncomfortable upgrade. It moves the problem away from simple domain reputation and toward identity abuse and post-compromise control. EvilTokens was first documented by French cybersecurity firm Sekoia in March, and in April Microsoft said the device-code phishing campaign was compromising hundreds of organizations daily. Microsoft also reported, “Since March 15, 2026, we have observed 10 to 15 distinct campaigns launching every 24 hours,” with each campaign distributed at scale and targeting hundreds of organizations with varied and unique payloads, making pattern-based detection more challenging.
Talos’s ARToken findings layer additional capability on top of that already-industrial pace. During its investigation into the ARToken phishing infrastructure, Cisco uncovered connections to EvilTokens, including an identical API contract to the one originally documented by Sekoia, and matching deployment and operational models. Talos also said the researchers observed “notably more sophisticated” anti-analysis and evasion capabilities than what was documented in earlier EvilTokens research. For CISOs and boards, this points to a threat actor business model that iterates, not one that stays frozen in time. When a platform actively evades analysis, defenders often lose the advantage of hindsight.
The most operationally consequential part of the report is what Talos says is inside the ARToken panel. According to Talos researcher Michael Kelley, the panel reveals a “very comprehensive post-exploitation toolkit” that provides token management and persistence mechanisms, plus a built-in business email compromise tool. The BEC component includes full Microsoft Outlook inbox read access, email sending capabilities as the victim, inbox rule creation for forwarding and deleting messages, and keyword-based monitoring across all compromised accounts. Kelley summarizes the implication bluntly in Talos’s writeup: these features indicate the platform is more mature than a simple device code phishing kit, essentially “a complete BEC operations environment.”
Second-order implications follow quickly. A BEC environment with Outlook inbox read access and inbox rule creation changes the detection game from “catch the initial phish” to “assume the attacker will quietly reshape the mailbox.” Rule-based forwarding and deletion can hide fraudulent activity, reduce the chance of victims noticing anomalies, and keep the compromise useful even after initial session control is lost. Keyword-based monitoring across compromised accounts also suggests the attacker is selecting timing, not just harvesting tokens, which can increase the likelihood of high-value actions succeeding.
There is also a governance angle. Microsoft and external researchers have already put numbers around the scale, with Microsoft telling El Reg that since March 15, 2026 it observed 10 to 15 distinct campaigns each day, targeting hundreds of organizations. That kind of tempo pressures security teams that run on finite incident-response bandwidth. It also raises board-level questions about how Microsoft 365 security is governed across identity, email, and account recovery processes, especially when attackers blend in with real SharePoint tenants and legitimate business contexts.
For executives and operators, the headline takeaway is not “EvilTokens got worse.” It is that the ecosystem looks modular: a kit, customers, and an operator panel that turns access into a controllable BEC workflow. If your organization’s defenses rely mainly on detecting phishing patterns, the ARToken example shows how adversaries route around that using vendor-trust cues and legitimate infrastructure. The strategic stakes are straightforward: companies managing Microsoft 365 risk need to treat device-code phishing as the start of a broader post-exploitation campaign, not as an isolated email problem.
This story's Key Insights and Take-aways are locked.
Create a free account to unlock Executive Actions for one credit.
Register to UnlockAlways free for Executives Club members. Join the Club
More in Technology

Apple redesigns entry-level MacBook Pro for 2027, keeping 14-inch screen size
A revamped base MacBook Pro could arrive in the first half of 2027, with iPad Pro updates also targeting spring internal improvements.

Anthropic cuts Sonnet 5 token prices and tweaks “effort,” betting on safer agent automation
The new Sonnet 5 is positioned as more agentic, cheaper than Opus, and more guardrailed for offensive cyber attempts.

Alibaba agrees to pay $600M to settle a US probe over illegal pharma sales
The Justice Department says Alibaba and its US payment processor will resolve allegations about failed controls for illegal medicines.

