Date: 07/02/2026
Severity: Medium
Summary
ARToken is a sophisticated Phishing-as-a-Service (PhaaS) platform closely linked to the EvilTokens ecosystem, providing affiliates with a comprehensive toolkit for Microsoft 365 account compromise. The platform supports device code phishing, Primary Refresh Token (PRT) persistence, Business Email Compromise (BEC), SharePoint data exfiltration, and email access through a web-based dashboard. It also employs advanced multi-layer anti-analysis techniques and encrypted payloads to evade detection and enhance phishing operations.
Indicators of Compromise (IOC) List
Domains/URLs | pamconj.com dashboard-bl.pamconj.com spx.pamconj.com clear90489058903-document.workers.dev 917bedb0-554e-a8b9-79f1-docviewer.clear90489058903-document.workers.dev 321a1392-939d-3bf5-4040-docviewer.clear90489058903-document.workers.dev 98c4c82e-2d81-0837-e3d6-docviewer.clear90489058903-document.workers.dev 112838d8-9a75-2e90-d63b-docviewer.clear90489058903-document.workers.dev aquaclaude-09494-9099403-docviewer.clear90489058903-document.workers.dev e5469cec-124a-c84f-abaa-docviewer.clear90489058903-document.workers.dev 50a201fd-dd2d-cf72-5fa6-onedrive.clear90489058903-document.workers.dev reynoldsjace5.workers.dev 50a201fd-dd2d-cf72-5fa6-adobe2.reynoldsjace5.workers.dev |
IP Address | 172.67.214.35 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "dashboard-bl.pamconj.com" or url like "dashboard-bl.pamconj.com" or siteurl like "dashboard-bl.pamconj.com" or domainname like "spx.pamconj.com" or url like "spx.pamconj.com" or siteurl like "spx.pamconj.com" or domainname like "pamconj.com" or url like "pamconj.com" or siteurl like "pamconj.com" or domainname like "98c4c82e-2d81-0837-e3d6-docviewer.clear90489058903-document.workers.dev" or url like "98c4c82e-2d81-0837-e3d6-docviewer.clear90489058903-document.workers.dev" or siteurl like "98c4c82e-2d81-0837-e3d6-docviewer.clear90489058903-document.workers.dev" or domainname like "112838d8-9a75-2e90-d63b-docviewer.clear90489058903-document.workers.dev" or url like "112838d8-9a75-2e90-d63b-docviewer.clear90489058903-document.workers.dev" or siteurl like "112838d8-9a75-2e90-d63b-docviewer.clear90489058903-document.workers.dev" or domainname like "aquaclaude-09494-9099403-docviewer.clear90489058903-document.workers.dev" or url like "aquaclaude-09494-9099403-docviewer.clear90489058903-document.workers.dev" or siteurl like "aquaclaude-09494-9099403-docviewer.clear90489058903-document.workers.dev" or domainname like "clear90489058903-document.workers.dev" or url like "clear90489058903-document.workers.dev" or siteurl like "clear90489058903-document.workers.dev" or domainname like "321a1392-939d-3bf5-4040-docviewer.clear90489058903-document.workers.dev" or url like "321a1392-939d-3bf5-4040-docviewer.clear90489058903-document.workers.dev" or siteurl like "321a1392-939d-3bf5-4040-docviewer.clear90489058903-document.workers.dev" or domainname like "e5469cec-124a-c84f-abaa-docviewer.clear90489058903-document.workers.dev" or url like "e5469cec-124a-c84f-abaa-docviewer.clear90489058903-document.workers.dev" or siteurl like "e5469cec-124a-c84f-abaa-docviewer.clear90489058903-document.workers.dev" or domainname like "50a201fd-dd2d-cf72-5fa6-onedrive.clear90489058903-document.workers.dev" or url like "50a201fd-dd2d-cf72-5fa6-onedrive.clear90489058903-document.workers.dev" or siteurl like "50a201fd-dd2d-cf72-5fa6-onedrive.clear90489058903-document.workers.dev" or domainname like "50a201fd-dd2d-cf72-5fa6-adobe2.reynoldsjace5.workers.dev" or url like "50a201fd-dd2d-cf72-5fa6-adobe2.reynoldsjace5.workers.dev" or siteurl like "50a201fd-dd2d-cf72-5fa6-adobe2.reynoldsjace5.workers.dev" or domainname like "917bedb0-554e-a8b9-79f1-docviewer.clear90489058903-document.workers.dev" or url like "917bedb0-554e-a8b9-79f1-docviewer.clear90489058903-document.workers.dev" or siteurl like "917bedb0-554e-a8b9-79f1-docviewer.clear90489058903-document.workers.dev" or domainname like "reynoldsjace5.workers.dev" or url like "reynoldsjace5.workers.dev" or siteurl like "reynoldsjace5.workers.dev" |
Detection Query 2 : | dstipaddress IN ("172.67.214.35") or srcipaddress IN ("172.67.214.35") |
Reference:
https://blog.talosintelligence.com/artoken-inside-an-eviltokens-affiliate-panel-targeting-microsoft-365/