Researchers examining an affiliate platform tied to the EvilTokens phishing service found capabilities that go beyond simple credential theft, pointing toward a fully built business email compromise operation sold as a subscription product.

 

What happened

Researchers have identified an operator panel called ARToken that shares infrastructure with EvilTokens, the phishing-as-a-service platform that drove a 1,380% surge in device code phishing attacks in early 2026. According to CyberScoop, researchers found ARToken includes capabilities not previously documented in public research on EvilTokens, including the ability to manipulate a victim's inbox rules after account access is gained and to generate shared access links, both features associated with sustained business email compromise (BEC) fraud, where attackers use a hijacked account to send fake payment requests, rather than a one-time credential theft. Researchers described the platform as "more mature than a simple device code phishing kit" and closer to "a complete BEC operations environment." The platform also uses a seven-layer anti-analysis system, meaning it applies multiple stacked techniques designed to detect and avoid automated security tools attempting to study how the kit works.

 

Going deeper

Researchers examined a specific lure used by ARToken that shows how targeted the campaign is compared to mass phishing operations. The message impersonated an accounts-payable contact at a real Wisconsin-based contractor and was sent to an accounts-payable recipient at a US life sciences company, exploiting an actual existing vendor relationship between the two organizations rather than inventing a fake sender identity from scratch. The email used an outstanding-invoice inquiry as its theme, the exact type of message accounts-payable staff are trained to respond to quickly as part of their normal job. Researchers noted they do not yet have a complete picture of how widely ARToken has been deployed or which specific criminal groups are using it, indicating the platform's discovery is still in an early stage.

 

What was said

Researchers stated in their analysis that ARToken's inbox rule manipulation and shared access link features "indicate the platform is more mature than a simple device code phishing kit, it is a complete BEC operations environment." Researchers added that while some prior phishing kits have touched on similar capabilities, ARToken "definitely seems more fleshed out and polished than previous instances."

 

In the know

ARToken's connection to EvilTokens ties this discovery directly to a rapidly growing category of Microsoft 365 attacks documented throughout early and mid-2026. EvilTokens itself launched on Telegram in mid-February 2026 and within five weeks had compromised more than 340 Microsoft 365 organizations across five countries, offering subscription tiers priced between $600 and $1,500. The FBI issued a separate public warning in May 2026 about a related platform, Kali365, confirming that device code phishing has moved from an emerging technique into a commercialized product category with multiple competing vendors selling similar capabilities.

 

The big picture

The inbox rule manipulation capability documented in ARToken is what turns a single credential theft event into an ongoing fraud operation. Once an attacker gains access to a Microsoft 365 mailbox, an inbox rule can be configured to automatically hide or redirect any incoming reply related to a fraudulent payment request, keeping the real account holder from noticing that a vendor or colleague is responding to messages the account holder never sent. For a healthcare organization's accounts payable or billing department, an attacker with this level of control inside a compromised mailbox can run a sustained fraud campaign against real vendor relationships for weeks before detection, redirecting genuine invoice payments to attacker-controlled accounts. According to Paubox's 2026 Healthcare Email Security Report, 53% of breached healthcare organizations in 2025 used Microsoft 365, and business email compromise carried a higher median financial cost per incident than ransomware in healthcare, according to Verizon's 2026 Breach Impact Study, making the specific capabilities in this platform directly relevant to the sector's highest-cost breach category.

 

FAQs

What is business email compromise, and how does it differ from standard phishing?

Business email compromise refers to fraud carried out using a legitimate, compromised email account, most commonly to trick a vendor, colleague, or finance team into redirecting a real payment to an account controlled by the attacker. Unlike standard phishing, which typically tries to steal credentials in a single interaction, BEC exploits an already-compromised account to conduct ongoing fraudulent communication that looks completely legitimate to anyone receiving it.

 

Why does inbox rule manipulation make an attack more dangerous than credential theft alone?

An inbox rule can automatically move, hide, or delete specific incoming emails without the account owner noticing. An attacker who sets a rule to intercept replies related to a fraudulent invoice can continue a scam undetected by the real account holder for an extended period, since the account owner never sees the suspicious activity happening in their own mailbox.

 

What does it mean that ARToken uses a seven-layer anti-analysis system?

Anti-analysis techniques are designed to detect when a security researcher or automated tool, rather than a real victim, is interacting with a phishing page or platform, and to hide malicious behavior or redirect to a harmless page when detection is suspected. Stacking seven separate layers of these techniques makes it much harder for defenders to study exactly how the platform operates and to build reliable detection signatures against it.

 

Why does targeting a real existing vendor relationship make a phishing lure more effective?

An email referencing a genuine business relationship, using real company names and a plausible ongoing transaction, bypasses much of the skepticism that generic phishing lures trigger. Accounts-payable staff who regularly correspond with a known vendor about invoices are conditioned to respond to exactly this type of message without applying the scrutiny they might give an unfamiliar sender.

 

What should healthcare finance and billing teams do to reduce exposure to this type of attack?

Any request to change payment details or banking information for an existing vendor should be verified through a separate communication channel, such as a phone call to a previously known contact number, rather than by replying to the email itself. Organizations should also periodically audit inbox rules across finance and billing team accounts for unexpected forwarding or deletion rules, since a hidden rule is often the only evidence a compromised account has been weaponized for BEC.