Your user awareness training is a fundamental contributor to your next security breach. You spend thousands of dollars teaching employees to identify suspicious links and verify URLs. You tell them to look for the padlock icon and trust official Microsoft login portals. When an ARToken or EvilTokens campaign hits your environment, your users follow those instructions perfectly. They click a link; they see a legitimate Microsoft domain; they enter their credentials; and they approve the Multi-Factor Authentication (MFA) request on their phones.
The authentication succeeds because it is genuine. Your users are not being “tricked” into giving away a password in the traditional sense. They are performing the exact architectural role Microsoft designed for them within the OAuth 2.0 Device Authorization Grant flow. They are simply authorizing the wrong session. This is the mechanical reality of modern Phishing-as-a-Service (PaaS). Traditional defenses fail because the attack traffic is indistinguishable from legitimate identity workflows.
The Architectural Vulnerability of the Device Authorization Grant
The OAuth 2.0 device authorization grant exists for a specific purpose. It allows devices with limited input capabilities, such as smart televisions, printers, or IoT hardware, to authenticate against a central identity provider. Because these devices cannot easily render a complex login page, they display a short, alphanumeric code. The user then navigates to a verification URL on a secondary device, like a smartphone or laptop, enters the code, and approves the login.
ARToken and EvilTokens weaponize this decoupling. The attacker functions as the “limited device” in this architectural model. When a victim clicks a phishing link, the attacker’s backend infrastructure initiates a POST request to the Microsoft device authorization endpoint. This triggers the generation of a code.
The attacker’s proxy server issues a request to /api/device/start/ containing a custom X-Antibot-Token header. This server communicates with Microsoft’s official infrastructure on-demand. This is a critical evolution from older kits. Historically, device codes expired after 15 minutes, which created a narrow window for success. ARToken utilizes dynamic code generation. The backend script only requests the device code from Microsoft the second your user interacts with the lure.
Sherrod DeGrippo, General Manager for Global Threat Intelligence at Microsoft, highlights the psychological trap here. She notes that the user is doing something that feels totally normal, and nothing about the process feels suspicious or like credential theft. The architecture itself is the exploit.
Engineering the Client-Side Evasion Array
Modern PaaS kits no longer rely on simple redirects. ARToken deploys a sophisticated seven-layer anti-analysis system directly within the victim’s browser. This system ensures that the malicious payload only executes when a real human is present. It evaluates the environment to block automated security scanners and sandboxes.
The kit performs a series of granular checks. It identifies headless browser artifacts by checking navigator.webdriver properties. It validates window dimensions; if the browser reports a 0x0 or 1×1 size, the kit assumes it is a headless scanner and terminates the session. Furthermore, the payload requires physical interaction telemetry. It remains dormant until the browser registers at least three organic mouse movements or a specific touch event.
If the environment passes these checks, a 16-byte XOR key decrypts the inner payload at runtime. This encrypted delivery model bypasses static analysis by traditional URL filters. Threat actors host these payloads on serverless platforms like Cloudflare Workers or Vercel. This allows the malicious traffic to blend in with legitimate enterprise cloud communications. By the time your security stack sees the traffic, the browser has already verified the “humanity” of the target and executed the decrypted logic.
To further reduce friction, the attacker’s code executes a clipboard hijack. Using the navigator.clipboard.writeText API, the script automatically pushes the device code to the user’s Windows clipboard. The user does not even have to type the code; they simply paste it into the legitimate Microsoft portal.
Primary Refresh Token Persistence and Broker Flows
Once the user completes the MFA-backed login, the attacker’s polling script captures a live Access Token. However, an Access Token is temporary. To ensure long-term access that survives password resets, the ARToken backend targets the Primary Refresh Token (PRT).
The kit utilizes a specific instruction: clientMode: "broker". This parameter commands the malicious infrastructure to use Microsoft’s Authentication Broker flow. This is the same flow used by Windows to maintain “remember me” sessions across applications. Attackers frequently register a new device within 10 minutes of the initial compromise to generate this PRT.
Jamie Levy, Senior Director of Adversary Tactics at Huntress, explains the speed of this escalation. She points out that this is normally something that would require a human social engineer to craft over several hours. With these kits, the timeline is compressed into minutes. The automation handles the heavy lifting of identity persistence.
After securing the PRT, the operators move to Business Email Compromise (BEC) automation. They programmatically create inbox rules and forwarding rules. They use a specific technique to hide their tracks; they name these rules using only special characters or non-printable strings. This prevents the rules from being easily noticed in the standard Outlook UI, effectively suppressing evidence of the breach while they exfiltrate sensitive data.
Designing Behavioral Detection in Elastic SIEM
You cannot stop this attack at the perimeter with blocklists. You must ingest Microsoft Entra ID Sign-in and Audit logs into your Elastic SIEM to hunt for the behavioral artifacts of the device code flow.
If your environment has strict outbound firewall rules, you should configure the Elastic Agent Event Hubs transport protocol to use AMQP-over-WebSockets. This protocol tunnels the essential AMQP traffic securely over standard HTTPS on Port 443. This ensures your logs reach the SIEM even through restrictive network segments.
1. Detecting the User Interrupt Timing Window
The most reliable indicator of a dynamic device code attack is errorCode 50199. This error suggests a user interrupt during the flow. You must correlate this with a successful sign-in from the same user within a short timeframe.
from azure.signinlogs
| where azure.signinlogs.error_code == 50199
| eval user = user.email
| join by user [
from azure.signinlogs
| where azure.signinlogs.status == "success"
]
| where duration.delta(first.time, second.time) <= 5m
2. Monitoring Post-Compromise Device Registration
Attackers register new devices to anchor their PRT. Query your Audit stream for rapid device additions following a successful login.
from azure.auditlogs
| where azure.auditlogs.operation_name == "Add device"
| keep time, user.email, target.device.id
3. Hunting for Obfuscated Evidence Suppression
Track Exchange Online for rules created with special characters, which is a hallmark of the ARToken BEC module.
from o365.audit
| where o365.audit.operation == "New-InboxRule"
| where o365.audit.parameters.Name rlike "^[^a-zA-Z0-9]+$"
| keep time, user.id, o365.audit.parameters.Name
Mapping the Threat Infrastructure
ARToken and EvilTokens operators do not host their infrastructure on known “bad” IP addresses. They use Platform-as-a-Service (PaaS) providers like Railway.com and serverless workers. This infrastructure architecture allows them to bypass domain reputation services and geographic IP blocking.
| Indicator | Type | Description |
|---|---|---|
| 162[.]220[.]232[.]0/24 | IP Range | Railway.com PaaS range hosting malicious sign-ins. |
| 162[.]220[.]234[.]0/24 | IP Range | Railway.com PaaS range hosting malicious sign-ins. |
| 89[.]150[.]45[.]0/24 | IP Range | HZ Hosting infrastructure used for C2 relay. |
| 185[.]81[.]113[.]0/24 | IP Range | HZ Hosting infrastructure used for C2 relay. |
| dashboard-bl[.]pamconj[.]com | Domain | ARToken React-based management dashboard. |
| spx[.]pamconj[.]com | Domain | ARToken command-and-control (C2) API. |
| *[.]workers[.]dev | Domain Pattern | Cloudflare Workers used for payload redirection. |
| /api/device/start/ | URL Path | Endpoint for dynamic device code generation. |
Hardening the Entra ID Authentication Perimeter
Your remediation strategy must move beyond simple password resets. Because the attacker’s goal is a Primary Refresh Token, you must treat every device code compromise as a full identity takeover. DeGrippo emphasizes that adding more standard alerts is not the solution. You need deep context on user behavior and consistency.
Step 1: Restrict Device Code Flow via Conditional Access
Disable the device code flow globally. If you have legacy devices that require it, create a highly scoped Conditional Access policy. Limit the flow to specific, trusted IP ranges and a dedicated service account group. Most enterprise users never need this flow for their daily tasks.
Step 2: Implement Phishing-Resistant MFA
Transition your high-risk users to FIDO2 hardware keys or Windows Hello for Business. These methods use public-key cryptography and are bound to the specific browser session and origin. Unlike the device code flow, FIDO2 credentials cannot be easily relayed by a proxy server because the hardware key validates the domain’s certificate before signing the challenge.
Step 3: Executing Comprehensive Session Revocation
When a compromise is confirmed, you must invalidate all sessions across the Microsoft Graph. A password reset does not invalidate a PRT immediately. Use the following workflow:
- Disable the Account: Immediately stop all active traffic.
- Revoke Sessions via Graph API: Use the Azure CLI to force a global sign-out.
az rest --method post --uri https://graph.microsoft.com/v1.0/users/{user-id}/revokeSignInSessions
- Purge Malicious Inbox Rules: Use Exchange PowerShell to identify and delete rules with special character names.
Get-InboxRule -Mailbox "user@example.com" | Where-Object { $_.Name -match '^[^a-zA-Z0-9]+$' } | Remove-InboxRule
Architectural Resilience Against Identity Proxying
The threat of ARToken lies in its ability to use your own infrastructure against you. It does not exploit a bug in the code; it exploits a logic flaw in how we trust “official” portals. By decoupling the authentication request from the device that ultimately receives the token, the device code flow creates a permanent blind spot for traditional security controls.
To defend against this, you must shift your focus from the “what” (the password) to the “how” (the flow). Audit your Entra ID logs for the 50199 error code religiously. Monitor for new device registrations that occur outside of your standard hardware procurement cycle. Most importantly, realize that if you allow the device code flow to remain active for your general user population, you are providing a paved road for Phishing-as-a-Service platforms to enter your environment. Secure the architecture, and the lures lose their power.
