Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
July 2, 2026
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Home/Threats/New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
Threats

New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens

Key Takeaways A new phishing panel, ARToken, is actively exploiting Microsoft 365 users by leveraging the OAuth Device Code Flow to steal session tokens. The attack bypasses traditional...

Jennifer sherman
Jennifer sherman
July 2, 2026 5 Min Read
2 0

Key Takeaways

  • A new phishing panel, ARToken, is actively exploiting Microsoft 365 users by leveraging the OAuth Device Code Flow to steal session tokens.
  • The attack bypasses traditional password-based authentication and even multi-factor authentication (MFA).
  • ARToken, an evolution of the EvilTokens phishing-as-a-service platform, provides attackers with a comprehensive dashboard featuring over 80 functions for post-compromise activities.
  • Compromised sessions can persist even after victims change their passwords due to the theft of primary refresh tokens.
  • Targets include finance, HR, and logistics personnel, often using highly personalized, AI-generated phishing emails.

A sophisticated new phishing panel, dubbed ARToken, has emerged, enabling cybercriminals to effortlessly hijack Microsoft 365 sessions without requiring a victim’s password. This advanced tool exploits a legitimate Microsoft sign-in feature designed for devices lacking conventional input methods, effectively tricking users into authorizing an attacker’s login.

Table Of Content

  • Key Takeaways
  • ARToken’s Connection to EvilTokens
  • Microsoft 365 Phishing Panel Uses OAuth Device Code Flow
  • Built-in Evasion and Persistence Tricks
  • What You Should Do
  • Indicators of Compromise (IoCs):-

Once a user grants this deceptive approval, attackers gain immediate access to a valid session token, completely circumventing multi-factor authentication (MFA) requirements. The implications extend beyond initial access, as ARToken offers a comprehensive dashboard with more than eighty functions, from refreshing stolen tokens to accessing a victim’s entire email inbox. It also facilitates browsing and downloading files from SharePoint and OneDrive, transforming a single compromised login into a gateway for extensive corporate data exfiltration and deeper system compromise.

ARToken’s Connection to EvilTokens

Cisco Talos said in a report that their researchers uncovered the ARToken panel during an investigation into phishing infrastructure linked to an incident response case. Their analysis revealed a live management dashboard, exposing the full range of the toolkit publicly. Further examination showed significant overlaps in infrastructure, coding patterns, and backend commands with EvilTokens, a prominent phishing-as-a-service (PaaS) platform. EvilTokens was previously documented by Sekoia researchers and later confirmed by Microsoft as a significant and widespread threat earlier this year.

By the time Microsoft publicly acknowledged the prevalence of these device code attacks, researchers had already identified approximately 500 Cloudflare Workers domains and over 2,000 phishing pages associated with the broader EvilTokens operation. Attackers using this ecosystem have specifically targeted finance, human resources, and logistics departments across various geographical regions, frequently employing AI-generated messages meticulously tailored to individual victims.

ARToken appears to be either a direct rebrand or a closely related offshoot of this existing criminal network, offering affiliates a more refined interface and enhanced post-breach capabilities.

Microsoft 365 Phishing Panel Uses OAuth Device Code Flow

The attack sequence typically initiates with a highly convincing phishing email. These messages often impersonate legitimate vendor contacts rather than fabricating entirely new company identities. In one instance analyzed by researchers, an email mimicked an accounts payable contact from a genuine contractor. It directed the recipient to what appeared to be a legitimate SharePoint file link related to an outstanding invoice.

While the visible link text displayed the vendor’s authentic SharePoint tenant, the underlying destination subtly redirected to an almost identical, attacker-controlled workspace. Because the displayed link still resolved to a genuine sharepoint.com address, it leveraged the inherent trust associated with the platform, enabling it to bypass email spam filters and deceive wary users.

Clicking this link leads the victim to a fraudulent Microsoft device login page. The phishing kit then presents a unique device code and instructs the target to enter it on the authentic microsoft.com/devicelogin page. This step is designed to feel familiar, resembling the process of setting up applications on smart TVs or streaming devices. Upon entering the code, the attacker’s backend silently captures a functional access token, completely bypassing any password prompts or MFA challenges.

Built-in Evasion and Persistence Tricks

Before any of the token theft occurs, the phishing kit employs a sophisticated seven-layer screening process to detect and filter out security scanners and automated bots. This includes checking browser fingerprints, monitoring for natural mouse movements, and introducing a nearly one-second delay before activating the phishing payload, all designed to confirm interaction with a genuine human user.

The stolen session token is merely the initial step. ARToken possesses the capability to escalate this initial access into a more enduring credential known as a primary refresh token (PRT). A PRT remains active and grants access even if the victim subsequently changes their password. This critical feature distinguishes ARToken from older phishing methods, as a standard password reset would typically revoke an attacker’s access in those scenarios. This persistence mechanism allows operators to maintain long-term access to compromised accounts.

With a PRT in hand, attackers can perform a wide array of malicious actions. This includes reading the victim’s entire email inbox, sending emails that appear to originate from the compromised account, and subtly creating inbox rules to hide or forward evidence of the intrusion, thereby maintaining stealth and control.

What You Should Do

  • Exercise Extreme Caution with Device Code Prompts: Treat any unexpected requests to enter a device code at microsoft.com/devicelogin with high suspicion. Verify the legitimacy of such requests through an independent, trusted channel (e.g., direct call to the IT help desk) before proceeding.
  • Verify Sender and Links: Always scrutinize the sender’s email address and hover over links to reveal their true destination before clicking. Be wary of any discrepancies, even if the visible text appears legitimate.
  • Implement Advanced Phishing Protection: Deploy and regularly update advanced email security solutions capable of detecting and blocking sophisticated phishing attempts, including those that leverage URL redirects and impersonation.
  • Strengthen Multi-Factor Authentication (MFA): While this attack bypasses some MFA implementations, ensure your MFA policies are as robust as possible. Consider FIDO2 hardware tokens for critical accounts, as they offer stronger protection against token theft.
  • Regular Security Awareness Training: Conduct frequent and up-to-date security awareness training for all employees, focusing on recognizing advanced phishing tactics, social engineering, and the risks associated with device code flows.
  • Monitor for Unusual Activity: Implement robust logging and monitoring for Microsoft 365 environments to detect unusual login locations, access patterns, or changes to inbox rules that could indicate compromise.
  • Review Application Permissions: Regularly audit and review permissions granted to applications within your Microsoft 365 tenant. Remove any unnecessary or suspicious application consents.

Indicators of Compromise (IoCs):-

Type Indicator Description
Domain dashboard-bl.pamconj[.]com ARToken management panel hosting the React based operator dashboard
Domain spx.pamconj[.]com Command-and-control API endpoint for the ARToken phishing kit <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/2c88e250-3f6a-44e3-a967-80db4e34563a/Microsoft-365-Phishing-Panel-Uses-OAuth-Device-Code-Flow-to-Capture-Tokens-and-Persist-Access.pdf?AWSAccessKeyId=ASIA2F3EMEYESUGCBAYW&Signature=nXtAfW8G0sGqJd9VjrhQSAfAkdI%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEDAaCXVzLWVhc3QtMSJGMEQCIF6hKXN7UxGWC6tjgywehwFZPGAYEtUr4FRnutEeqsE9AiA1k7rzdt5nP562pRT8FUfavrXiDABh4g%2BTZQx9jzvelyr8BAj5%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMfy6Dlp3kv24t7sOkKtAEQh2qMqEpXbC5kYvSDQ7xBEtc5Q3WJFYPESn7BaDN0INALcn9XH3QstU307VnwAYHPSHw%2B9zBVJMufMf1erLF7wx0O5BS3pWuV3h54GNXqumZM5t7k8o8HoI0Gv4buly0GQtU2NFYNXMY4F3iOUBzBv3dHHw31qpE2On1tLtZuBteGjFyXO8YJPpa7IeM4xunvIRM9PEeGZqOxDHKnGLmmApAKVbwcMSlt6qdW%2BAVDigppbxGIy%2BZ6LIBp%2F6frnnZf79y0VHM2mjaF9QMC48odd%2FV%2FqFXzM%2FGK2l%2FiU%2FGT0tiTkl5H0mKFLsQ2FPwUyoRAZYrlgH3N782lpChwE0%2BeLTG4uX0sSJQdYPOu8g3IHl4zh2h7CvI7D3ATvA%2BKIxpSkVfWamjGCRxtQgvi%2FsB1QHLrGMRIQqDZEyWaY23sK82rSZIWtfiijjLuqdBE%2B2SkmNSIh4zIrrrV0omCKdU4BD78X3xcDNM15Wh%2Fw6ucEQqsTL9OiGtWQZ0Nr%2F45H5WUaOaqagycdgkGTpIOPYNeoPgROvAAU0VzLmS6RfETri9LF77lUOwXamKhIq6e4v8XWU0M%2Bu6eGN26%2BvfrXUrC22VfnwF038Sj4HLqcJpyfMNzhk2bdXr7hXNOfzvhM6ASzknBs5Q3Nqu23RgqqgVthkxN9Gw4fHHzVtOg

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachphishingSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Critical Claude Cowork Sandbox Vulnerability Lets Attackers Run Commands as Root

Next Post

AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
ChatGPT Flaw Exposes User Files, Poses System Access Risk
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us