Cisco Talos has published research on a novel phishing platform called ARToken, which the firm describes as effectively a BEC-as-a-service offering. The kit builds on prior understanding of the related EvilTokens phishing-as-a-service operation, according to analysts.
ARGToken enables attackers to conduct business email compromise (BEC) campaigns at scale, providing tools for credential harvesting and session hijacking. Cisco Talos's research shows the platform is engineered to compromise enterprise email accounts, potentially granting persistent access to corporate communications and data.
The attack vector typically involves sending targeted phishing emails that use token-based authentication mechanisms. Once a victim interacts, ARToken captures session tokens and credentials, allowing the attacker to bypass multi-factor authentication and move laterally within the targeted organization.
Mitigation strategies should focus on employee training to spot sophisticated phishing lures, along with enforcement of conditional access policies and device-based controls. Cisco Talos recommends enabling strict token protection measures and monitoring for unusual sign-in patterns as interim workarounds.
Attribution for ARToken remains unclear, though its structural similarity to EvilTokens suggests a threat actor ecosystem operating in the BEC-as-a-service market. The broader BEC landscape continues to evolve with commoditized tools lowering the barrier for non-technical criminals, increasing risk for sectors from finance to healthcare.