Ethical Hacking News
EvilTokens, a device-code phishing kit, has been revealed to be even more insidious than initially thought, with capabilities rivaling those of a complete Business Email Compromise (BEC) operations environment. This threat highlights the need for robust cybersecurity measures and underscores the importance of continuous monitoring and analysis in the field of cybersecurity.
EvilTokens, a device-code phishing kit, has been found to bypass multi-factor authentication (MFA) in Microsoft 365 applications.EvilTokens shares infrastructure and operational patterns with another phishing-as-a-service operator panel called ARToken.The phishing operation uses a targeted approach, rather than random spray-and-pray tactics.The email lure abused a real vendor relationship to launch the phishing attack.ARToken's panel offers a comprehensive post-exploitation toolkit with anti-analysis and evasion capabilities.The discovery highlights the need for robust cybersecurity measures to protect against such threats.
EvilTokens, a device-code phishing kit, has been revealed to be even more insidious than initially thought. According to Cisco Talos incident responders, this phishing kit allows criminals to bypass multi-factor authentication (MFA) and silently authenticate as the victim to Microsoft 365 applications. This newfound threat is particularly concerning given the discovery of a "complete BEC operations environment" within EvilTokens' infrastructure.
In a recent investigation, Cisco uncovered the connections between EvilTokens and another phishing-as-a-service (PhaaS) operator panel called ARToken. The researchers found that EvilTokens shares infrastructure, API contracts, and operational patterns with ARToken, indicating a level of sophistication in their malicious tactics. This revelation has significant implications for organizations that rely on Microsoft 365 applications.
Talos also discovered that the phishing operation uses a targeted approach, rather than relying on random spray-and-pray tactics. The email lure abused a real vendor relationship between a US life-sciences company and a legitimate plumbing and fire-protection contractor to launch the phishing attack. This was achieved by utilizing an outstanding-invoice lure, which told the life-sciences company that "the following invoices appear to still be outstanding." The reply-to header then redirected replies to an unrelated domain.
Moreover, the visible anchor text in the body of the email read as the vendor's genuine SharePoint tenant, further convincing the victim. However, the actual href pointed to a near-identical copycat tenant under a different, attacker-controlled Microsoft 365 workspace. This sophisticated approach made it less likely for the email to be flagged as phishing.
The connections between EvilTokens and ARToken also revealed an identical API contract to one originally documented by Sekoia, along with matching deployment and operational models. Furthermore, Talos uncovered "notably more sophisticated" anti-analysis and evasion capabilities within ARToken's panel.
ARToken's panel provided a comprehensive post-exploitation toolkit that included features such as token management and persistence mechanisms, and a built-in business email compromise (BEC) tool. This BEC tool offered full Microsoft Outlook inbox read access, email sending capabilities, as well as keyword-based monitoring across all compromised accounts.
"This platform is more mature than a simple device code phishing kit - it is a complete BEC operations environment," noted security research engineer Michael Kelley.
The discovery of EvilTokens and ARToken has significant implications for organizations that rely on Microsoft 365 applications. The fact that these kits are becoming increasingly sophisticated highlights the need for robust cybersecurity measures to protect against such threats. It is essential for organizations to stay vigilant and implement effective security protocols to prevent such phishing attacks from compromising their systems.
The findings of Cisco Talos have shed light on a previously unknown aspect of the EvilTokens device-code phishing kit. This revelation underscores the importance of continuous monitoring and analysis in the cybersecurity field, as well as the need for collaboration between researchers and organizations to stay ahead of emerging threats.
In conclusion, the discovery of EvilTokens and ARToken serves as a reminder of the evolving nature of cyber threats. As these kits continue to become more sophisticated, it is essential for organizations to remain vigilant and implement effective security protocols to protect their systems against such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Unveiling-the-EvilTokens-Device-Code-Phishing-Kit-A-Comprehensive-Threat-to-Cybersecurity-ehn.shtml
https://www.theregister.com/cyber-crime/2026/07/01/eviltokens-device-code-phishing-kit-totally-more-evil-than-we-all-thought/5265409
Published: Wed Jul 1 17:47:37 2026 by llama3.2 3B Q4_K_M