A sophisticated Microsoft 365 phishing operation has surfaced that should concern every small and medium business relying on Microsoft's productivity suite. Security researchers recently exposed ARToken, a phishing-as-a-service platform linked to a group called EvilTokens, which has been selling ready-made tools that allow low-skilled attackers to steal employee login credentials and bypass multi-factor authentication. If your team uses Microsoft 365 for email, Teams, or SharePoint, this is directly relevant to you.
What Phishing-as-a-Service Actually Means for Your Business
Phishing-as-a-service, or PhaaS, is essentially a criminal subscription model. Instead of building their own attack infrastructure, cybercriminals can rent or purchase a fully functional toolkit — complete with convincing fake login pages, automated credential harvesting, and technical support from the developers. ARToken is one such platform, and it is specifically engineered to impersonate Microsoft 365 sign-in pages with alarming accuracy.
What makes this particularly dangerous is the adversary-in-the-middle technique these kits employ. Rather than simply tricking someone into typing their password into a fake page, the toolkit relays the login attempt through to the real Microsoft server in real time. This means it can capture not just the password, but also the authentication token that Microsoft issues after a successful MFA verification. In plain terms: even if your staff have multi-factor authentication switched on, this attack can still get in.
The barrier to entry for attackers has dropped dramatically. Someone with no technical background can now launch a convincing campaign against your business for a modest fee. That shift in the threat landscape is something every business owner needs to understand.
How Attackers Get Credentials Into the Wild
Once stolen, credentials do not simply sit on a criminal's laptop. They move quickly. Harvested usernames, passwords, and session tokens are packaged and sold on dark web marketplaces, shared in private Telegram channels, or bundled into infostealer logs that circulate across criminal forums. A set of Microsoft 365 credentials belonging to a company accountant or an HR manager can sell for anywhere from a few dollars to considerably more, depending on the perceived value of the target organisation.
This is where the risk compounds. A credential stolen through a phishing kit today might not be used against your business immediately. It could sit in a data dump for weeks or months before a separate attacker purchases it and uses it to access your email, your SharePoint files, or your financial systems. By the time you notice something is wrong, the damage is often already done.
The Warning Signs That Often Go Unnoticed
Most small businesses discover a compromise only after something visible goes wrong — a supplier contacts them about a suspicious invoice, a client flags an unusual email, or a staff member cannot log in to their own account. By that point, attackers have typically had access for days or longer.
The subtler indicators are rarely caught without active monitoring. These include your company's email domain appearing in phishing infrastructure registered by third parties, employee email addresses showing up in infostealer dumps circulating on criminal forums, or corporate credentials appearing in dark web marketplaces before any attack has even been launched against you. Breachrr monitors all of these signals continuously — scanning breach databases, infostealer logs, dark web markets, public code repositories, and domain infrastructure — so that exposure is identified before it becomes an incident.
It is also worth reviewing whether your Microsoft 365 environment has conditional access policies in place, whether session token lifetimes are appropriately limited, and whether staff have received recent, specific training on recognising fake login pages. These are not one-time tasks. The threat evolves, and your defences need to keep pace.
Protecting Your Microsoft 365 Environment Against Phishing Kits
The ARToken case is a reminder that technical controls alone are not enough. MFA is still worth having — it raises the cost and complexity of an attack — but it is no longer a complete answer when adversary-in-the-middle Microsoft 365 phishing kits are commercially available to criminals worldwide. Layering your defences matters: strong authentication, staff awareness, session management policies, and continuous external monitoring working together give you genuine resilience.
For SMBs, the practical starting point is knowing what is already out there about your business. Credentials that have already been exposed are the most immediate risk, because attackers are actively searching for exactly that information. Running a free audit at breachrr.com/audit takes minutes and shows you what Breachrr can find about your domain and your employees' credentials right now — before someone else acts on it first.
Want to see if your company is exposed?