If your accounts-payable, HR, or finance teams use Microsoft 365, the ARToken Panel is built to turn a single stolen login into ongoing access to your mailboxes, files, and money movement. What makes this different from ordinary credential theft is that it captures OAuth tokens through the device code flow — meaning your multi-factor authentication is bypassed entirely. The attacker never needs your password after the initial capture, so a routine password reset does not lock them out. (Source: Cisco Talos)
Here is why that matters at the board level. Once ARToken escalates a captured token to a Primary Refresh Token (PRT), the operator's dashboard advertises persistence that "persists across password changes." Your usual response to a suspected compromise — force a reset, move on — no longer evicts the intruder. They hold a valid session artifact that keeps working until the token itself is revoked and the registered device removed.
The built-in email tool, ARTSender, is where the financial damage starts. Operators get full Outlook inbox read access on each compromised account, plus the ability to send mail as your staff with BCC batch support and configurable delays. In the campaign Talos documented, the lure impersonated an accounts-payable contact at a legitimate Wisconsin vendor and targeted an accounts-payable recipient at a U.S. life-sciences firm — abusing a real vendor relationship to push an outstanding-invoice request. That is how these operators redirect payments: not by inventing a supplier, but by hijacking a trusted one your team already pays.
Once inside, operators create inbox rules for forwarding and auto-deletion. In practice, this means:
- Wire and payment fraud — the attacker reads your invoice threads, learns your payment cadence, and replies from inside a real conversation to reroute funds.
- Evidence suppression — auto-delete rules hide replies and alerts, so your finance staff never see the messages the attacker sends or receives on their behalf.
- Cross-account surveillance — the Box Monitor feature watches every compromised mailbox at once for operator-defined keywords like "invoice," "payment," or "wire," surfacing the highest-value conversations automatically.
For HR and finance, the exposure extends past email. Operators can browse, download, upload, and re-permission victim SharePoint and OneDrive files. That reaches employee records, payroll data, tax forms, and financial statements — the exact material that triggers breach-notification obligations when it leaves your control. If your HR mailboxes or document libraries hold personally identifiable information, unauthorized access to them is a reportable event under most state and sector privacy regimes, and the notification, credit-monitoring, and legal costs land on you regardless of whether funds were stolen.
The ARToken dashboard tells operators plainly: "PRT-enabled — Persists across password changes." Your standard containment playbook does not remove this attacker.
The industries the operators target track directly to the payoff. Finance and accounts-payable roles offer direct fraud through payment redirection. HR roles offer identity-theft liability through bulk access to employee data. Life-sciences and logistics staff sit on vendor and shipment workflows that make invoice fraud believable. If your organization runs any of these functions on Microsoft 365 — and most do — you are looking at a platform designed to convert one compromised finance or HR account into unauthorized transfers, exfiltrated records, and the regulatory reporting that follows.
How ARToken Panel Harvests Credentials and Maintains M365 Access
The ARToken attack chain starts not with malware, but with a phishing link that abuses Microsoft's OAuth 2.0 Device Authorization Grant (RFC 8628). There is no dropper, no payload on the endpoint, and no password to crack — the operator captures OAuth tokens directly through the device code flow. For a SOC, that means the classic indicators (suspicious binaries, EDR alerts) never fire during the initial compromise.
The delivery infrastructure runs on legitimate services. Lures deploy through Cloudflare Workers accounts using UUID-prefixed subdomains such as {uuid}-docviewer.workers.dev, {uuid}-onedrive.workers.dev, and {uuid}-adobe2.workers.dev. Because these are hosted on workers.dev, they inherit Cloudflare's clean reputation and sail past URL reputation checks.
When a victim reaches the phishing page, the kit fires on DOMContentLoaded and runs a defined sequence:
- Attempts to steal any existing JWT from localStorage under the key
artoken_jwtfor victim session correlation. - Extracts the victim's email address from the URL
?hint=parameter. - Calls the C2 at
/device/startwith the hardcoded operator UUID84eb384d-cd3e-4c90-a283-c960ce557913. - Displays the returned device code with a countdown timer defaulting to 900 seconds.
- Directs the victim to
microsoft.com/devicelogin.
The mechanics matter here. The victim authenticates on Microsoft's genuine device-login page — including completing MFA — and Microsoft issues tokens back to the attacker-controlled device code request. From your logs, this looks like a legitimate interactive sign-in from a real user. That is why device code phishing bypasses multi-factor authentication entirely: MFA is satisfied by the victim, but the resulting token lands with the operator.
The backend request uses clientMode: "broker", which instructs it to run Microsoft's Authentication Broker (WAM) flow. This is the pivot from a stolen access token to a Primary Refresh Token (PRT) — the credential that Windows uses to keep a device signed in across the M365 estate. Once the operator holds a PRT, they hold single sign-on into email, SharePoint, OneDrive, Teams, and any app federated behind that identity.
Persistence runs through a defined PRT lifecycle exposed in the panel's API: /prt/setup, /prt/refresh, /prt/renew, /prt/reacquire, and /prt/cookie. The kit ships with the flag persistAfterPassChange: false — a plain acknowledgement that the operator knows refresh tokens die on a password reset and must escalate to a PRT before the victim reacts.
The panel's UI states it plainly: "PRT-enabled - Persists across password changes."
For threat hunters, that line reframes your containment assumptions. Resetting a compromised user's password does not evict an operator who already holds a PRT.
Static analysis is deliberately frustrated. The JavaScript payload is delivered XOR-encrypted with a 16-byte key ([233,69,224,219,53,48,213,165,119,243,77,151,101,148,15,227]) and decrypted at runtime, so URL scanners inspecting the served content see obfuscated bytes rather than phishing logic.
Key infrastructure indicators observed by Talos:
- Management panel:
dashboard-bl.pamconj[.]com(serving the "ARToken Panel" React SPA). - C2 API:
spx.pamconj[.]com. - Cloudflare Workers lure host:
clear90489058903-document.workers[.]dev.
ARToken is an affiliate operating on the EvilTokens platform — same API contract, same broker semantics, same PRT chain — with a companion Windows application, ARTBrowser, that lets operators drive captured M365 sessions using stolen tokens outside the panel. The practical takeaway for responders: the identity plane, not the endpoint, is where this compromise lives.
Detection and Immediate Response for Compromised M365 Tenants
The moment you suspect an ARToken compromise, your priority is not password resets — it's revoking active tokens. Because this attack captures OAuth tokens rather than credentials, a stolen token stays valid until you explicitly kill the session. Following the NIST Cybersecurity Framework, here is the prioritized order that actually contains this threat.
Identify
Start by scoping which accounts are affected. Pull your Azure AD sign-in logs and filter for device code authentications, since that flow is the entry point for this campaign.
- Query sign-in logs for
authenticationProtocol == "deviceCode"events — legitimate device code sign-ins are rare in most tenants, so any hit deserves review. - Correlate those events against impossible-travel signals: the same user authenticating from geographically distant IPs within a short window.
- Flag any newly registered devices in Azure AD, which indicates an operator has moved from token capture to PRT persistence.
Protect
Once you know the affected accounts, cut off access. Password resets alone do not work here — the ARToken kit explicitly sets persistAfterPassChange: false, meaning the operator expects to escalate to a Primary Refresh Token before you notice.
- Run
Revoke-AzureADUserAllRefreshToken(or the Microsoft GraphrevokeSignInSessionsaction) for every affected user — this invalidates captured refresh tokens. - Force a password reset after session revocation, not before, so the operator cannot re-mint tokens in the gap.
- Enable a Conditional Access policy blocking legacy authentication and restricting or disabling the device code flow for users who don't need it.
- Remove any unfamiliar registered devices tied to the compromised accounts.
Detect
The operator's next move is quiet mailbox manipulation. The ARToken email tool (ARTSender) creates inbox rules for forwarding and auto-deletion to suppress evidence, so mailbox rule auditing is where you catch active abuse.
- Audit for
New-InboxRuleandSet-InboxRuleevents in the unified audit log, focusing on rules that forward externally or delete messages containing keywords like "invoice" or "payment." - Review mailbox delegation changes and external sharing settings on SharePoint and OneDrive, since the panel supports document upload and permission changes for lateral phishing.
- Watch for token refresh anomalies — repeated
/prt/refresh-style renewals surfacing as high-frequency token activity from a single account.
Adlumin, deployed in environments Capstone manages, monitors authentication patterns and flags the login anomalies and session-token reuse that signal a stolen OAuth token before the operator escalates to persistent access.
Because this attack bypasses MFA entirely, session revocation — not password reset — is the control that actually locks the operator out.
Respond
Treat a confirmed token capture as a full mailbox compromise. Preserve the malicious inbox rules and audit records before deleting them, then remove the rules, revoke sessions again to catch any re-registered tokens, and check for messages sent as the victim to downstream partners — this campaign abuses real vendor relationships, so your compromise may become the next organization's lure.
Recover
After containment, close the door that let this in. Move privileged and finance users to passwordless authentication with FIDO2 keys or Windows Hello, which removes the device code prompt attackers rely on. Establish a baseline of normal device-code and sign-in behavior for your tenant so future anomalies stand out, and notify any impersonated vendor or downstream recipient whose relationship was abused in the fraud chain.
ARToken and EvilTokens: Threat Actor Profile and Campaign Scope
The operators behind ARToken are not building infrastructure from scratch — they are affiliates running a rented copy of the EvilTokens phishing-as-a-service platform. Cisco Talos identified the ARToken operator panel during an incident response engagement, and the technical overlaps with EvilTokens are extensive enough to place both under the same operational lineage.
EvilTokens itself was documented by Sekoia in March 2026 and confirmed at scale by Microsoft in April 2026. By the time of Microsoft's publication, Sekoia had counted approximately 500 Cloudflare Workers domains and over 1,000 total phishing pages operating under the EvilTokens umbrella — a footprint that tells you this is a mature, multi-tenant criminal service, not a one-off actor.
Who they target, and why
The affiliate targeting is deliberate. EvilTokens affiliates concentrate on finance professionals, HR staff, and logistics personnel across global regions, and the ARToken lure Talos recovered was aimed at an accounts-payable recipient at a U.S. life-sciences company.
These verticals are chosen for what a compromised mailbox unlocks:
- Finance and accounts-payable — direct access to invoice approvals and payment redirection, the core of a business email compromise payout.
- HR and payroll roles — sensitive employee records and payroll routing that support fraud and follow-on impersonation.
- Logistics personnel — supply-chain visibility and vendor relationships that give attackers trusted context for the next lure.
- Life-sciences and similar regulated firms — high-value document repositories and complex vendor networks that make invoice fraud credible.
For a security team, the pattern to note is that these are not random victims. The operators abuse a real vendor relationship — in the recovered case, spoofing an accounts-payable contact at a legitimate Wisconsin contractor — rather than inventing a sender. That means your risk is highest wherever an established supplier already emails your payment approvers.
Operational tempo and monetization
The tradecraft is targeted rather than spray-and-pray. Talos recovered two near-identical messages sent roughly four minutes apart on April 20, 2026, consistent with a small, deliberate send against a chosen target rather than mass distribution.
EvilTokens is sold as a subscription product: access runs $1,500 one-time plus $500 per month, with a standalone "Portal Browser" offered for $500 lifetime. Anti-bot pages are sold separately through a dedicated Telegram bot, which explains why ARToken's affiliate ships a different, more advanced client-side evasion module than the core platform documents.
The platform sells access at $1,500 one-time plus $500/month, with a standalone "Portal Browser" for $500 lifetime.
This modular pricing means affiliates mix and match components, so no two deployments look identical — a point that matters for anyone tracking the campaign across tenants.
Attribution links between ARToken and EvilTokens
The connection rests on multiple overlapping technical indicators rather than a single tell:
- Identical API contract — ARToken's kit issues the same device-start request and receives the same response fields Sekoia documented for EvilTokens.
- Shared
clientMode: "broker"semantics — a non-standard OAuth parameter specific to EvilTokens' implementation of persistent token capture via Microsoft's Authentication Broker (WAM) flow. - Matching deployment model — both use UUID-prefixed Cloudflare Workers subdomains and overlapping lure themes (Adobe, OneDrive, document viewers).
- Identical persistence lifecycle — the same token-renewal chain Sekoia named as EvilTokens' core differentiator over traditional adversary-in-the-middle phishing.
- Shared operational model — isolated operator workspaces, Telegram notifications on capture, subscription access, and lure template editors.
For campaign tracking, the takeaway is that ARToken is best treated as one affiliate storefront within a broader EvilTokens ecosystem. Indicators tied to one affiliate will not cover the whole platform, so risk prioritization should assume a rotating set of infrastructure and lures drawn from the same shared toolkit.
Compliance and Disclosure Obligations After M365 Compromise
When ARToken captures an OAuth token from your accounts-payable or HR staff, the compliance clock starts before you even know an intrusion occurred. What the operators can reach — full Outlook inbox content, SharePoint and OneDrive files, and the ability to send mail as the victim — maps directly onto data categories that trigger mandatory disclosure under multiple regimes.
The specific tooling matters for your notification analysis. ARTSender gives operators full read access to compromised mailboxes and the ability to create hidden forwarding rules, while the SharePoint and OneDrive functions let them browse and download whatever the victim account could reach. That means your incident is not a "possible" exposure — it is a confirmed unauthorized access to whatever those accounts held.
Finance and accounts-payable exposure
The invoice-fraud lure recovered by Talos targeted an accounts-payable recipient, and that user's mailbox likely contained payment instructions, banking details, and vendor records. If you are a public company, that access can meet the materiality threshold for SEC Item 1.05 8-K disclosure, which requires reporting a material cybersecurity incident within four business days of determining materiality.
Consider these finance-sector triggers tied to what the panel actually touches:
- SOX audit integrity: The inbox-rule manipulation feature suppresses evidence by auto-deleting or forwarding messages. If financial reporting communications ran through a compromised mailbox, you cannot cleanly attest to the integrity of those controls without documenting the intrusion.
- PCI-DSS: If any accessed email, attachment, or SharePoint file contained cardholder data, your acquirer and card brands have contractual notification requirements that run on their own timeline, separate from statute.
- Wire and payment fraud: Because operators can send mail as the victim with BCC batching, a redirected-payment attempt following the compromise expands the incident from data exposure to attempted financial theft, which carries its own reporting to financial regulators and law enforcement.
HR and employee data obligations
HR mailboxes and OneDrive folders hold the exact personal data that breach-notification laws were written for: Social Security numbers, direct-deposit banking details, benefits enrollment, and immigration paperwork. Access to that data through a compromised HR account is a notifiable event under most U.S. state laws and the GDPR.
Under the GDPR, you have 72 hours from becoming aware of a personal-data breach to notify the relevant supervisory authority — and access to a single HR mailbox can put employee records for staff across multiple jurisdictions in scope at once.
Under the CCPA/CPRA, exposure of California employee or applicant personal information carries notification duties and potential statutory damages for unencrypted, unredacted data. If your HR files included background-check reports, FCRA obligations attach to that consumer-report data as well.
Logistics and cross-sector data
EvilTokens affiliates have targeted logistics personnel, and those mailboxes frequently carry data that spills into regulated categories. If shipping or benefits records touched protected health information, HIPAA breach notification applies, with its 60-day individual-notice deadline and the reporting threshold that escalates public disclosure for larger breaches.
Two points deserve your attention as counsel. First, because ARToken's persistence survives password resets, your "awareness" date for notification clocks is when you confirm the compromise, not when the victim changes a password — and regulators will scrutinize any gap.
Key Insight: Second, the vendor-impersonation origin means a supplier's compromised tenant fed the attack, so your contracts and cyber-insurance claims should account for third-party liability, and any DOT-regulated supply-chain credentials exposed in transit documents may carry additional reporting duties.
Document your determination-of-materiality timeline carefully. The evidence-suppression features built into this platform mean investigators may struggle to reconstruct exactly what was read or exfiltrated, and that uncertainty pushes you toward broader, earlier notification rather than a narrow one you may have to correct later.
Secure Your M365 Deployment Against Token Theft
The single most important hardening step against ARToken is to enforce phishing-resistant MFA across every Microsoft 365 account. The device code flow this campaign abuses works because a victim approves an authentication request on a legitimate Microsoft page — standard MFA prompts (SMS, authenticator push) do not stop it. Hardware security keys (FIDO2) and Windows Hello for Business bind authentication to the device and the origin, which breaks the device code capture the operator depends on.
Following the NIST Cybersecurity Framework, here is how to close the exposure that ARToken exploits.
Identify
Start by inventorying which accounts can even use device code authentication. This flow is legitimate for a narrow set of scenarios — CLI tools, IoT registration — and almost never for accounts-payable, HR, or finance staff.
- Enumerate service accounts, shared mailboxes, and privileged roles that authenticate without interactive MFA — these are the accounts an operator most wants to import or share as a captured token.
- Catalog every legacy authentication protocol still in use:
IMAP,POP3, andSMTP AUTH. Legacy auth bypasses modern controls and gives token thieves a quieter path back in.
Protect
This is where you shrink the attack surface. Disable legacy protocols tenant-wide unless a documented business process requires them, and scope any exception to a single account rather than the whole tenant.
- Block device code flow with an Entra ID Conditional Access policy for all user populations that have no operational need for it — this directly severs the ARToken entry point.
- Deploy app-based Conditional Access requiring compliant or hybrid-joined devices, so a captured token cannot be replayed from an unmanaged attacker machine.
- Enforce modern authentication only, and require FIDO2 keys or Windows Hello for privileged and finance roles first, then expand to all users.
These controls matter because the operator's persistence chain escalates a captured token to a Primary Refresh Token that survives password resets. Conditional Access tied to device compliance means the PRT is worthless without a device you actually manage.
Detect
Turn on mailbox auditing for every mailbox and alert on the specific operations ARToken's built-in tooling performs. The kit creates hidden forwarding and auto-delete rules to suppress evidence, so inbox rule changes are a high-value signal.
- Alert on new inbox rules that forward externally or move messages to deleted items, and on delegate or mailbox permission grants.
- Watch for token refresh activity from new IP addresses or unfamiliar client apps against the same account.
Legitimate device code sign-ins are rare in most enterprises — treat any spike as an active investigation, not a tuning exercise.
Adlumin's identity threat detection correlates these authentication anomalies across managed environments, flagging token replay and anomalous sign-in patterns that individual log queries miss. For the delivery side, Microsoft Defender for Office 365 blocks credential-stealing lures at the email gateway before an accounts-payable recipient ever clicks a look-alike SharePoint link.
Respond and Recover
Establish a credential hygiene baseline now so response is fast later. Set a rotation cadence for service account secrets and API keys, and monitor privileged accounts, service accounts, and shared mailboxes as a distinct tier with tighter thresholds.
- Document a runbook that revokes refresh tokens and sessions — not just resets passwords — because token theft does not care about a new password.
- Review and remove any unrecognized registered devices in Entra ID, since the operator's persistence depends on device registration for PRT acquisition.
For IT operations, the payoff is concrete: phishing-resistant MFA plus device-bound Conditional Access removes the two mechanics — MFA bypass and portable token replay — that make this platform profitable. For the business, it means a single stolen login can no longer turn into standing access to your mailboxes, files, and payment approvals.
What to Do First If You Suspect ARToken Infection
The most useful signal you can act on is the presence of the operator's own tooling on a machine that touches Microsoft 365. If you find ARTBrowser — the standalone Windows session-browsing application — or artifacts tied to the artoken_jwt localStorage key on any endpoint with M365 access, treat it as a confirmed compromise rather than a suspected one. That application exists to drive victim sessions with captured tokens, so its appearance means an operator already holds working access.
What ARToken affiliates do quietly is worth understanding before you scope the damage. Because the operator works through ARTSender and the shared-access model, more than one person may be reading a single mailbox, and captured tokens can be exported or imported between operators. A token you never see leave your tenant may already be traded elsewhere.
That reality shapes your first move. Assume breach for the affected users and audit the last 30 days of mailbox activity for the signs this platform leaves behind:
- Inbox rules that forward or auto-delete, the evidence-suppression pattern ARTSender creates programmatically
- Delegation and calendar-sharing changes that grant access outside the account owner
- Sent items sent as the victim, including BCC batches consistent with the tool's send behavior
Here is the single thing to do before you close this article:
If ARTBrowser or ARToken artifacts appear on any endpoint with M365 access, force password resets for those users, audit their mailbox activity — forwarding, delegation, calendar sharing — for the past 30 days, and if you find suspicious rules or access patterns, escalate to incident response and legal.
A password reset alone will not close the door, because the operator's persistence survives it — but it is the correct starting point for the users whose sessions are already in someone else's hands, and it forces the audit that tells you how far the access reached.