New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
Key Takeaways A new phishing panel, ARToken, is actively exploiting Microsoft 365 users by leveraging the OAuth Device Code Flow to steal session tokens. The attack bypasses traditional...
Key Takeaways
- A new phishing panel, ARToken, is actively exploiting Microsoft 365 users by leveraging the OAuth Device Code Flow to steal session tokens.
- The attack bypasses traditional password-based authentication and even multi-factor authentication (MFA).
- ARToken, an evolution of the EvilTokens phishing-as-a-service platform, provides attackers with a comprehensive dashboard featuring over 80 functions for post-compromise activities.
- Compromised sessions can persist even after victims change their passwords due to the theft of primary refresh tokens.
- Targets include finance, HR, and logistics personnel, often using highly personalized, AI-generated phishing emails.
A sophisticated new phishing panel, dubbed ARToken, has emerged, enabling cybercriminals to effortlessly hijack Microsoft 365 sessions without requiring a victim’s password. This advanced tool exploits a legitimate Microsoft sign-in feature designed for devices lacking conventional input methods, effectively tricking users into authorizing an attacker’s login.
Table Of Content
Once a user grants this deceptive approval, attackers gain immediate access to a valid session token, completely circumventing multi-factor authentication (MFA) requirements. The implications extend beyond initial access, as ARToken offers a comprehensive dashboard with more than eighty functions, from refreshing stolen tokens to accessing a victim’s entire email inbox. It also facilitates browsing and downloading files from SharePoint and OneDrive, transforming a single compromised login into a gateway for extensive corporate data exfiltration and deeper system compromise.
ARToken’s Connection to EvilTokens
Cisco Talos said in a report that their researchers uncovered the ARToken panel during an investigation into phishing infrastructure linked to an incident response case. Their analysis revealed a live management dashboard, exposing the full range of the toolkit publicly. Further examination showed significant overlaps in infrastructure, coding patterns, and backend commands with EvilTokens, a prominent phishing-as-a-service (PaaS) platform. EvilTokens was previously documented by Sekoia researchers and later confirmed by Microsoft as a significant and widespread threat earlier this year.
By the time Microsoft publicly acknowledged the prevalence of these device code attacks, researchers had already identified approximately 500 Cloudflare Workers domains and over 2,000 phishing pages associated with the broader EvilTokens operation. Attackers using this ecosystem have specifically targeted finance, human resources, and logistics departments across various geographical regions, frequently employing AI-generated messages meticulously tailored to individual victims.
ARToken appears to be either a direct rebrand or a closely related offshoot of this existing criminal network, offering affiliates a more refined interface and enhanced post-breach capabilities.
Microsoft 365 Phishing Panel Uses OAuth Device Code Flow
The attack sequence typically initiates with a highly convincing phishing email. These messages often impersonate legitimate vendor contacts rather than fabricating entirely new company identities. In one instance analyzed by researchers, an email mimicked an accounts payable contact from a genuine contractor. It directed the recipient to what appeared to be a legitimate SharePoint file link related to an outstanding invoice.
While the visible link text displayed the vendor’s authentic SharePoint tenant, the underlying destination subtly redirected to an almost identical, attacker-controlled workspace. Because the displayed link still resolved to a genuine sharepoint.com address, it leveraged the inherent trust associated with the platform, enabling it to bypass email spam filters and deceive wary users.
Clicking this link leads the victim to a fraudulent Microsoft device login page. The phishing kit then presents a unique device code and instructs the target to enter it on the authentic microsoft.com/devicelogin page. This step is designed to feel familiar, resembling the process of setting up applications on smart TVs or streaming devices. Upon entering the code, the attacker’s backend silently captures a functional access token, completely bypassing any password prompts or MFA challenges.
Built-in Evasion and Persistence Tricks
Before any of the token theft occurs, the phishing kit employs a sophisticated seven-layer screening process to detect and filter out security scanners and automated bots. This includes checking browser fingerprints, monitoring for natural mouse movements, and introducing a nearly one-second delay before activating the phishing payload, all designed to confirm interaction with a genuine human user.
The stolen session token is merely the initial step. ARToken possesses the capability to escalate this initial access into a more enduring credential known as a primary refresh token (PRT). A PRT remains active and grants access even if the victim subsequently changes their password. This critical feature distinguishes ARToken from older phishing methods, as a standard password reset would typically revoke an attacker’s access in those scenarios. This persistence mechanism allows operators to maintain long-term access to compromised accounts.
With a PRT in hand, attackers can perform a wide array of malicious actions. This includes reading the victim’s entire email inbox, sending emails that appear to originate from the compromised account, and subtly creating inbox rules to hide or forward evidence of the intrusion, thereby maintaining stealth and control.
What You Should Do
- Exercise Extreme Caution with Device Code Prompts: Treat any unexpected requests to enter a device code at microsoft.com/devicelogin with high suspicion. Verify the legitimacy of such requests through an independent, trusted channel (e.g., direct call to the IT help desk) before proceeding.
- Verify Sender and Links: Always scrutinize the sender’s email address and hover over links to reveal their true destination before clicking. Be wary of any discrepancies, even if the visible text appears legitimate.
- Implement Advanced Phishing Protection: Deploy and regularly update advanced email security solutions capable of detecting and blocking sophisticated phishing attempts, including those that leverage URL redirects and impersonation.
- Strengthen Multi-Factor Authentication (MFA): While this attack bypasses some MFA implementations, ensure your MFA policies are as robust as possible. Consider FIDO2 hardware tokens for critical accounts, as they offer stronger protection against token theft.
- Regular Security Awareness Training: Conduct frequent and up-to-date security awareness training for all employees, focusing on recognizing advanced phishing tactics, social engineering, and the risks associated with device code flows.
- Monitor for Unusual Activity: Implement robust logging and monitoring for Microsoft 365 environments to detect unusual login locations, access patterns, or changes to inbox rules that could indicate compromise.
- Review Application Permissions: Regularly audit and review permissions granted to applications within your Microsoft 365 tenant. Remove any unnecessary or suspicious application consents.



No Comment! Be the first one.