Back to Intelligence

ARToken PhaaS & EvilTokens M365 Toolkit: Detection and Defense Strategies

SA
Security Arsenal Team
July 5, 2026
6 min read

Introduction

Security researchers have exposed a new Social Engineering-as-a-Service (PhaaS) platform known as "ARToken," which operates as an affiliate of the notorious "EvilTokens" ecosystem. This discovery provides critical intelligence into a mature, service-oriented attack infrastructure specifically designed to compromise Microsoft 365 environments.

The ARToken platform lowers the barrier to entry for cybercriminals, providing pre-packaged toolkits that facilitate high-volume, sophisticated phishing campaigns. For defenders, this represents an escalation in threat velocity. The availability of these "EvilTokens" means that organizations can expect to see more authenticated attacks using stolen session tokens—bypassing traditional multi-factor authentication (MFA) controls. Immediate action is required to bolster email security and harden identity providers against adversary-in-the-middle (AiTM) techniques.

Technical Analysis

Affected Products & Platforms:

  • Microsoft 365 (Exchange Online / Entra ID): The primary target for credential harvesting and session token theft.
  • Web Browsers: Used as the vector for delivering the phishing kits and capturing user input.

Threat Mechanics: The EvilTokens toolkit, distributed via ARToken, relies on the Adversary-in-the-Middle (AiTM) technique. Unlike traditional phishing forms that capture static usernames and passwords, these toolkits act as a reverse proxy server positioned between the target user and the legitimate Microsoft 365 login service.

  1. The Hook: The target receives a phishing email (often utilizing AI-generated context) containing a link to the compromised proxy server.
  2. The Proxy: The user enters credentials into a fake login page that looks identical to Microsoft 365. The proxy forwards these credentials to the real Microsoft service in real-time.
  3. The Bypass: If the user is prompted for MFA (e.g., a code or push notification), they complete it. The proxy forwards this response to Microsoft, authenticating the session.
  4. The Hijack: Upon successful authentication, Microsoft issues a session token (usually a PRT or Access Token). The proxy intercepts this token before passing the user to their actual inbox. The attacker now possesses a valid, authenticated session cookie, granting them access to the M365 tenant without needing the user's password or a second MFA factor.

Exploitation Status: This threat is Active and Exploited. The exposure of ARToken confirms that a "PhaaS-as-a-Service" model is currently operational, allowing affiliates with low technical skill to deploy these kits against targets globally.

Detection & Response

Due to the nature of AiTM attacks, traditional detection relying on failed MFA attempts is ineffective. We must detect the preparatory behaviors on the endpoint (the phishing engagement) and the anomalies in the authentication stream.

Sigma Rules

YAML
---
title: Potential HTML Smuggling Phishing Attachment
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects potential HTML smuggling often used in PhaaS kits like EvilTokens to deliver malicious portals or scripts.
references:
  - https://attack.mitre.org/techniques/T1566.001/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.t1566.001
logsource:
  category: file_event
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\Downloads\'
      - '\AppData\Local\Temp\'
    TargetFilename|endswith:
      - '.html'
      - '.htm'
  condition: selection
falsepositives:
  - Legitimate HTML file downloads
level: medium
---
title: Suspicious PowerShell DownloadString (PhaaS Payload)
id: 2b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e
status: experimental
description: Detects PowerShell commands often used by phishing toolkits to download second-stage payloads or fetch configuration.
references:
  - https://attack.mitre.org/techniques/T1059.001/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_img:
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
  selection_cli:
    CommandLine|contains:
      - 'DownloadString'
      - 'IEX'
      - 'Invoke-Expression'
  selection_filter:
    CommandLine|contains:
      - 'Update-Help'
      - 'NuGet'
  condition: selection_img and selection_cli and not selection_filter
falsepositives:
  - Administrative scripts
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for AiTM characteristics in M365 Sign-in Logs
// Looks for successful logins where MFA was satisfied, but context anomalies exist (e.g., suspicious IP, unfamiliar location)
SigninLogs
| where ResultType == 0
| where ConditionalAccessStatus == "success" 
| extend MFA = parse_(AuthenticationDetails)
| mvexpand MFA
| where MFA.authenticationStep == "MFA"
| where MFA.authenticationMethod != "Password"
| project Timestamp, UserPrincipalName, AppDisplayName, IPAddress, Location, DeviceDetail, RiskDetail, RiskLevelDuringSignIn
| where RiskLevelDuringSignIn in ("medium", "high", "none") 
| summarize count() by IPAddress, UserPrincipalName, bin(Timestamp, 1h)
| where count_ > 5

Velociraptor VQL

VQL — Velociraptor
-- Hunt for suspicious processes spawned from browsers common in phishing kit interactions
-- e.g., MSHTA opening HTML files or PowerShell launching from browser temp folders
SELECT Pid, Name, CommandLine, Exe, ParentPid
FROM pslist()
WHERE ParentPid IN (
    SELECT Pid 
    FROM pslist() 
    WHERE Name =~ "chrome.exe" 
       OR Name =~ "msedge.exe" 
       OR Name =~ "firefox.exe"
)
AND (Name =~ "mshta.exe" 
     OR Name =~ "powershell.exe" 
     OR Name =~ "cmd.exe")

Remediation Script (PowerShell)

PowerShell
# Microsoft 365 Hardening Script against PhaaS / AiTM
# Requires ExchangeOnlineManagement and Microsoft.Graph modules

Write-Host "[+] Initiating M365 PhaaS Hardening Procedures..." -ForegroundColor Cyan

# 1. Disable Legacy Authentication (SMTP, POP, IMAP) - Primary vector for compromised credentials
Write-Host "[*] Disabling Legacy Authentication Protocols..."
# Note: In real environment, use Set-CASMailbox or Organization-level policies via Exchange Online PowerShell
# Example: Get-CASMailbox -ResultSize Unlimited | Set-CASMailbox -PopEnabled $false -ImapEnabled $false -SmtpClientAuthenticationDisabled $true

# 2. Report on Conditional Access Policies (Audit)
Write-Host "[*] Auditing Conditional Access Policies for M365 Enforce..."
# Logic: Ensure a policy exists requiring 'MFA' AND 'Compliant Device' or 'Hybrid Azure AD Joined' for high-risk apps
# This blocks AiTM tokens from unmanaged devices.

# 3. Enable Security Defaults (If not using Conditional Access)
# Write-Host "[*] Checking Security Defaults Status..."
# (Connect to MS Graph) Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/policies/identitySecurityDefaultsEnforcementPolicy"

Write-Host "[!] Manual Action Required: Review the output above."
Write-Host "[!] Recommendation: Implement 'Phishing-Resistant MFA' (FIDO2) for all admin accounts."
Write-Host "[+] Script complete."

Remediation

Defending against PhaaS platforms like ARToken and the EvilTokens toolkit requires a shift from credential defense to session protection.

1. Implement Phishing-Resistant MFA Passwordless methods such as FIDO2 keys or certificate-based authentication (CBA) are resilient to AiTM attacks because the cryptographic proof is bound to the legitimate service URL and cannot be proxied.

2. Enforce Conditional Access (CA) Policies Configure CA policies to require:

  • Compliant or Hybrid Azure AD Joined devices: This prevents attackers using stolen tokens on their own unauthorized infrastructure.
  • Named Locations: Restrict access to trusted IP ranges where possible.
  • Session Controls: Use Microsoft Cloud App Security (MCAS) or Defender for Cloud Apps to enforce real-time session monitoring and controls.

3. Disable Legacy Authentication Protocols Ensure Basic Auth is disabled for Exchange Online. Legacy protocols do not support Modern Auth (MFA), making them easy targets for brute-force and credential stuffing.

4. User Education & Reporting Train users to recognize the subtle signs of AiTM phishing (e.g., URL discrepancies despite the padlock icon) and encourage immediate reporting of suspicious emails via the "Report" button in Outlook.

5. Vendor References:

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachphaasmicrosoft-365social-engineeringeviltokensadversary-in-the-middle

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.