Cisco Talos’ research on ARToken builds on what’s known about the related EvilTokens phishing-as-a-service.
The post This phishing kit looks more like BEC-as-a-service appeared first on CyberScoop.
Toolkits to wage phishing campaigns are a now-venerable instrument for cybercriminals, but researchers recently turned up details on something like a full-fledged “business email compromise-as-a-service” platform.
Cisco Talos said Wednesday that it had found an operator panel dubbed ARToken, which shares infrastructure and other things in common with, and as an affiliate to, the EvilTokens phishing-as-a-service operation built to bypass multi-factor authentication and compromise Microsoft 365 accounts. EvilTokens has reportedly seen a dramatic increase in its phishing attacks — by 1,380% early this year compared to the same period last year — with an assist from artificial intelligence integration.
ARToken is notable, though, for the capabilities that go beyond what’s been made public about EvilTokens so far by companies like Sekoia and Microsoft itself, such as inbox rule manipulation and shared access links.
“These features indicate the platform is more mature than a simple device code phishing kit — it is a complete BEC operations environment,” wrote Michael Kelley, security research engineer at Cisco Talos, in a blog post, referring to business email compromise scams that involve sending fake emails to solicit fraudulent payments.
Kelley told CyberScoop that “we’ve seen some offerings that touch on this capability, but this definitely seems more fleshed out and polished than previous instances.”
ARToken is also notable for its evasive capabilities, with a seven-layer anti-analysis system, the post states.
The research provides further details on what ARToken’s actual phishing lures look like in practice. They are targeted, rather than scattershot and opportunistic, as one lure the firm examined shows.
“The messages spoof an accounts-payable contact at a legitimate Wisconsin contractor, addressed to an accounts-payable recipient at a U.S. life sciences company — abusing a real vendor relationship rather than inventing a sender,” Kelley wrote. “The lure theme is an outstanding-invoice inquiry (‘the following invoices appear to still be outstanding… advise when this will be processed’), the kind of message accounts-payable staff are conditioned to act on.”
Kelley told CyberScoop that Cisco Talos doesn’t yet have a full sense of the breadth of the activity, nor who is making use of the capability.
“We’ve seen the public sector targeted but it’s unlikely to be the only one,” he said.
| # | Наименование новости | Тональность | Информативность | Дата публикации |
|---|---|---|---|---|
| 1 | Researchers spot exploitation of another critical Oracle defect | 0 | 5 | 01-07-2026 |
| 2 | Citrix patches a new NetScaler flaw with echoes of CitrixBleed | 0 | 5 | 30-06-2026 |
| 3 | Malicious AI Coding Plugins Hit JetBrains Marketplace, Stealing API Keys From Developers | -2 | 8 | 17-06-2026 |
| 4 | Sysdig clocks first documented case of agentic ransomware | 0 | 7 | 06-07-2026 |
| 5 | Someone infected a spyware probe overseer with spyware | -2 | 7 | 03-07-2026 |
| 6 | Spain arrests suspected hacker linked to Russian hacktivist campaign | 0 | 5 | 07-07-2026 |
| 7 | Suspected Chinese espionage group used a Roundcube exploit chain to burrow into universities | 0 | 7 | 07-07-2026 |
| 8 | Aufbau einer stärkeren ersten Verteidigungslinie gegen Koantoübernahmen | 0 | 5 | 09-06-2026 |
| 9 | Стыд и скам: пользователям предлагают проверить наличие долгов и списывают деньги | -5 | 6 | 23-06-2026 |
| 10 | DragonForce Ransomware Is Hiding in Microsoft Teams Traffic | 0 | 7 | 17-06-2026 |