A newly uncovered phishing panel called ARToken is giving cybercriminals an easy way to steal Microsoft 365 login sessions without ever touching a password.
The tool works by abusing a legitimate Microsoft sign in feature meant for devices without a keyboard or browser, tricking victims into approving a login on the attacker’s behalf.
Once that approval happens, the attacker walks away with a working session token, no multi factor code required.
What makes ARToken stand out is not just the theft itself but what happens afterward. The panel gives criminal operators a dashboard packed with more than eighty functions, covering everything from refreshing stolen tokens to reading a victim’s entire email inbox.
It even offers tools to browse and download files from SharePoint and OneDrive, turning a single stolen login into a doorway for deeper compromise.
Cisco Talos said in a report shared with Cyber Security News (CSN) that they identified the panel while investigating phishing infrastructure tied to an incident response case, and traced its code back to a live management dashboard exposing its entire toolkit publicly.
The panel shares infrastructure, coding patterns, and identical backend commands with EvilTokens, a phishing as a service platform documented earlier this year by researchers at Sekoia and later confirmed by Microsoft as a large scale threat.
By the time Microsoft acknowledged the scale of these device code attacks, researchers had already tracked roughly 500 Cloudflare Workers domains and more than 2,000 phishing pages tied to the broader EvilTokens operation.
Affiliates targeted finance staff, human resources teams, and logistics personnel across multiple regions, often using AI generated messages tailored to each victim.
ARToken appears to be a rebranded or closely related offshoot of that same criminal ecosystem, built for affiliates wanting a slicker interface and deeper post breach tools.
Microsoft 365 Phishing Panel Uses OAuth Device Code Flow
The attack usually begins with a convincing email impersonating a real vendor contact rather than inventing a fake company from scratch.
In one case examined by researchers, the message spoofed an accounts payable contact at a legitimate contractor and directed the recipient toward what looked like a genuine SharePoint file link tied to an outstanding invoice.
The visible link text pointed to the vendor’s real SharePoint tenant, but the actual destination quietly redirected to a nearly identical, attacker controlled workspace.
Since the link still resolved to a real sharepoint.com address, it carried the trust normally associated with that platform, helping it slip past spam filters and cautious readers alike.
Clicking through leads the victim to a fake Microsoft device login page, shown below in the panel’s own interface.
ARToken login page (Source – Cisco Talos)
The kit then displays a device code and asks the target to enter it at the real microsoft.com/devicelogin page, a step that feels routine to anyone who has set up a smart TV or streaming app before.
Once entered, the backend silently captures a working access token without asking for a password.
Built In Evasion and Persistence Tricks
Before any of that happens, the phishing kit runs a seven layer screening process designed to filter out security scanners and automated bots.
It checks browser fingerprints, watches for natural mouse movement, and waits nearly a full second before activating, an effort to convince the page it is dealing with a genuine human.
The stolen token itself is only the beginning. ARToken can escalate that initial access into a longer lived credential known as a primary refresh token, which keeps working even after the victim changes their password.
Human verification logic (Source – Cisco Talos)
That design choice separates this attack from older phishing methods, since a normal password reset would otherwise shut an attacker out.
From there, operators can read the victim’s full email inbox, send messages appearing to come from the compromised account, and quietly create inbox rules that hide or forward evidence of the intrusion.
Security teams should treat unexpected device code prompts with suspicion and confirm unusual invoice or document requests through a separate, trusted channel before acting.
Indicators of Compromise (IoCs):-
TypeIndicatorDescriptionDomaindashboard-bl.pamconj[.]comARToken management panel hosting the React based operator dashboard Domainspx.pamconj[.]comCommand-and-control API endpoint for the ARToken phishing kit Domainclear90489058903-document.workers[.]devCloudflare Workers account used to deploy phishing lures URLhttps[:]//mononapfp.sharepoint[.]com/:f:/document/INV-IgCx1X50pgUjR7iAjZL2fuQaAW4GfKVs6wHT3BYv9sgwW7gVisible anchor link disguised as the vendor’s genuine SharePoint tenant URLhttps[:]//mononapfpcom.sharepoint[.]com/:f:/g/IgAdH_aaBPMcQbtINZzC1TsLARj3dHj63MnKjvnY-QJrKEcActual attacker-controlled SharePoint tenant used for redirection Filepumber.pngInline signature image included in phishing emails for content mutation Identifier84eb384d-cd3e-4c90-a283-c960ce557913Hardcoded operator UUID used in device code API calls Storage Keyartoken_jwtLocalStorage key targeted to steal existing JWT tokens for session correlation
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.
The post Microsoft 365 Phishing Panel Uses OAuth Device Code Flow to Capture Tokens and Persist Access appeared first on Cyber Security News.



