Back to Feed
Threat IntelligenceJul 1, 2026

This phishing kit looks more like BEC-as-a-service

New ARToken phishing kit offers BEC-as-a-service capabilities, bypassing MFA.

Summary

Cisco Talos has identified ARToken, a sophisticated phishing-as-a-service platform that functions as a complete business email compromise (BEC) operations environment. This platform, an affiliate of EvilTokens, enhances BEC scams by bypassing multi-factor authentication for Microsoft 365 accounts and includes advanced features like inbox rule manipulation and shared access links. Its evasive capabilities and targeted lures suggest a mature and polished offering for cybercriminals.

Full text

Toolkits to wage phishing campaigns are a now-venerable instrument for cybercriminals, but researchers recently turned up details on something like a full-fledged “business email compromise-as-a-service” platform. Cisco Talos said Wednesday that it had found an operator panel dubbed ARToken, which shares infrastructure and other things in common with, and as an affiliate to, the EvilTokens phishing-as-a-service operation built to bypass multi-factor authentication and compromise Microsoft 365 accounts. EvilTokens has reportedly seen a dramatic increase in its phishing attacks — by 1,380% early this year compared to the same period last year — with an assist from artificial intelligence integration. ARToken is notable, though, for the capabilities that go beyond what’s been made public about EvilTokens so far by companies like Sekoia and Microsoft itself, such as inbox rule manipulation and shared access links. “These features indicate the platform is more mature than a simple device code phishing kit — it is a complete BEC operations environment,” wrote Michael Kelley, security research engineer at Cisco Talos, in a blog post, referring to business email compromise scams that involve sending fake emails to solicit fraudulent payments. Kelley told CyberScoop that “we’ve seen some offerings that touch on this capability, but this definitely seems more fleshed out and polished than previous instances.” ARToken is also notable for its evasive capabilities, with a seven-layer anti-analysis system, the post states. The research provides further details on what ARToken’s actual phishing lures look like in practice. They are targeted, rather than scattershot and opportunistic, as one lure the firm examined shows. “The messages spoof an accounts-payable contact at a legitimate Wisconsin contractor, addressed to an accounts-payable recipient at a U.S. life sciences company — abusing a real vendor relationship rather than inventing a sender,” Kelley wrote. “The lure theme is an outstanding-invoice inquiry (‘the following invoices appear to still be outstanding… advise when this will be processed’), the kind of message accounts-payable staff are conditioned to act on.” Kelley told CyberScoop that Cisco Talos doesn’t yet have a full sense of the breadth of the activity, nor who is making use of the capability. “We’ve seen the public sector targeted but it’s unlikely to be the only one,” he said. Share Facebook LinkedIn Twitter Copy Link

Entities

Microsoft 365 (product)multi-factor authentication (technology)ARToken (product)EvilTokens (product)Cisco Talos (vendor)