Skip to content
CVEcredential-theftvulnerability

Device code phishing grew up: inside the ARToken BEC-as-a-service panel

3 min read
Share

Device code phishing grew up: inside the ARToken BEC-as-a-service panel

Business email compromise used to require a threat actor with technical depth in Microsoft authentication flows. A Cisco Talos discovery changes that picture. The ARToken panel is a React-powered management platform that hands affiliates of the EvilTokens phishing-as-a-service operation a complete BEC toolkit with no programming required.

What Talos found

Talos discovered ARToken during an incident response engagement. The platform had left more than 80 internal API endpoints exposed, giving Talos a full map of the platform architecture without needing to break any encryption. ARToken uses identical POST /api/device/start API calls as EvilTokens, a connection Sekoia's earlier research documented.

Attack delivery uses spoofed vendor invoice emails. The lure shows a legitimate-looking SharePoint address; the actual redirect goes to a lookalike Microsoft 365 tenant inside the attacker's own workspace. Targets believe they are authenticating into something trusted.

The device code flow: why it bypasses MFA

Device code authentication was built for input-limited hardware like smart TVs and printers. Microsoft treats a completed device code exchange as a valid first-party authentication event. Conditional Access policies enforcing MFA on browser sign-ins do not block device code by default. An attacker who tricks a user into entering a device code receives a valid access token and Primary Refresh Token (PRT) that grant persistent access to Outlook, SharePoint, and OneDrive without further authentication challenges.

What the ARToken panel actually offers

Once a victim completes the device code exchange, ARToken gives the operator:

  • Full Outlook mailbox read and send access, including the ability to send email as the compromised account
  • Inbox rule creation to hide forwarding rules or auto-delete replies from specific domains
  • Multi-mailbox keyword monitoring across all compromised accounts simultaneously
  • OneDrive and SharePoint file download
  • Business relationship reconnaissance tools for mapping vendor relationships in follow-on wire fraud

Why this matters beyond the PhaaS platform

ARToken is not unique in using device code phishing. What makes it significant is that the exposed API endpoints gave Talos a detailed map of a mature BEC platform's operational architecture, which defenders now have too. Phishing-as-a-service has reached feature parity with dedicated cybercrime toolkits. The gap between a motivated threat actor and a capable BEC operation is now measured in subscription fees, not technical skill.

What defenders should do

Three concrete steps reduce the ARToken attack surface significantly:

  • Disable device code flow in Conditional Access unless explicitly required for a specific device class. Create a policy blocking the device code authentication flow for all users outside approved device registrations.
  • Alert on inbox rule creation by non-admin accounts, especially rules forwarding email outside the organization or deleting messages from specific senders.
  • Block the ROPC flow in Conditional Access unless a documented legacy system requires it. ROPC is the legacy password-based OAuth flow that also bypasses modern MFA.

Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you want to discuss your Microsoft 365 authentication controls.