Вход на сайт

Просмотр новости

Найдите то, что Вас интересует

This phishing kit looks more like BEC-as-a-service

Дата публикации: 01-07-2026 10:00:00

Cisco Talos’ research on ARToken builds on what’s known about the related EvilTokens phishing-as-a-service.
The post This phishing kit looks more like BEC-as-a-service appeared first on CyberScoop.


Основное содержимое страницы с новостью.

Toolkits to wage phishing campaigns are a now-venerable instrument for cybercriminals, but researchers recently turned up details on something like a full-fledged “business email compromise-as-a-service” platform.

Cisco Talos said Wednesday that it had found an operator panel dubbed ARToken, which shares infrastructure and other things in common with, and as an affiliate to, the EvilTokens phishing-as-a-service operation built to bypass multi-factor authentication and compromise Microsoft 365 accounts. EvilTokens has reportedly seen a dramatic increase in its phishing attacks — by 1,380% early this year compared to the same period last year — with an assist from artificial intelligence integration.

ARToken is notable, though, for the capabilities that go beyond what’s been made public about EvilTokens so far by companies like Sekoia and Microsoft itself, such as inbox rule manipulation and shared access links.

“These features indicate the platform is more mature than a simple device code phishing kit — it is a complete BEC operations environment,” wrote Michael Kelley, security research engineer at Cisco Talos, in a blog post, referring to business email compromise scams that involve sending fake emails to solicit fraudulent payments.

Kelley told CyberScoop that “we’ve seen some offerings that touch on this capability, but this definitely seems more fleshed out and polished than previous instances.”

ARToken is also notable for its evasive capabilities, with a seven-layer anti-analysis system, the post states.

The research provides further details on what ARToken’s actual phishing lures look like in practice. They are targeted, rather than scattershot and opportunistic, as one lure the firm examined shows.

“The messages spoof an accounts-payable contact at a legitimate Wisconsin contractor, addressed to an accounts-payable recipient at a U.S. life sciences company — abusing a real vendor relationship rather than inventing a sender,” Kelley wrote. “The lure theme is an outstanding-invoice inquiry (‘the following invoices appear to still be outstanding… advise when this will be processed’), the kind of message accounts-payable staff are conditioned to act on.”

Kelley told CyberScoop that Cisco Talos doesn’t yet have a full sense of the breadth of the activity, nor who is making use of the capability.

“We’ve seen the public sector targeted but it’s unlikely to be the only one,” he said.

Схожие новости

#Наименование новостиТональностьИнформативностьДата публикации
1Researchers spot exploitation of another critical Oracle defect0501-07-2026
2Citrix patches a new NetScaler flaw with echoes of CitrixBleed0530-06-2026
3Malicious AI Coding Plugins Hit JetBrains Marketplace, Stealing API Keys From Developers-2817-06-2026
4Sysdig clocks first documented case of agentic ransomware0706-07-2026
5Someone infected a spyware probe overseer with spyware-2703-07-2026
6Spain arrests suspected hacker linked to Russian hacktivist campaign0507-07-2026
7Suspected Chinese espionage group used a Roundcube exploit chain to burrow into universities0707-07-2026
8Aufbau einer stärkeren ersten Verteidigungslinie gegen Koantoübernahmen0509-06-2026
9Стыд и скам: пользователям предлагают проверить наличие долгов и списывают деньги-5623-06-2026
10DragonForce Ransomware Is Hiding in Microsoft Teams Traffic0717-06-2026

Классификация: Пресс-релизы. Схожих патентов: 0. Схожих новостей: 10. Тональность: 0. Информативность: 5. Источник: www.cyberscoop.com.