KOM CLOUDSERVICE
All Insights

The Phishing Kit That Beats Your MFA (And How It Works)

A new Microsoft 365 phishing toolkit steals login tokens and walks right past MFA. Here's how the attack works and how to stop it.

Researchers just pulled apart a phishing toolkit built to break into Microsoft 365 accounts. The ugly part: turning on MFA won’t stop it. This is a paid service. Criminals rent it for a few hundred dollars a month and point it at your business.

This week in brief

  • A fake Mac app is spreading through a verified X ad. Attackers ran a sponsored ad from a verified account pushing a lookalike download for DynamicLake, a real Mac utility. Click it and you’re told to paste a command into Terminal, which quietly installs a password stealer. A blue checkmark is not a safety badge. Malwarebytes has the details.

  • A new Mac stealer called PamStealer is faking the Maccy clipboard app. It uses macOS’s own password prompt system to trick you into handing over your login password, then grabs browser data and files. Only download Mac software from the developer’s real site or the App Store. The Hacker News covered it.

  • “ConsentFix” steals your Microsoft 365 account without any malware at all. You drag a link into your browser, approve what looks like a routine permission, and an attacker walks off with your login tokens. No password typed. Nothing your antivirus would flag. Same underlying trick as the main story below.

The one that matters

Cisco Talos found a phishing-as-a-service platform called ARToken while working a breach investigation. When they reverse-engineered its control panel, they found something more capable than a normal phishing page: over 80 API endpoints built specifically to break into Microsoft 365 and stay there.

Here’s what it does. It steals Microsoft 365 authentication tokens, plants persistent access using something called a Primary Refresh Token, and then reaches into Outlook mailboxes, SharePoint sites, and OneDrive files. It can spin up phishing infrastructure automatically and run business email compromise campaigns, the scam where a criminal reads your email, learns how your company talks, and sends a fake invoice or wire request that looks completely real.

Talos says ARToken is tied to an earlier platform called EvilTokens, first documented by researchers at Sekoia back in March. EvilTokens sells for a $1,500 setup fee and $500 a month. It even has an AI workflow that reads stolen mailboxes, scores which victims have the most money to steal, and drafts the fraud emails for the operator, translating them into other languages if needed. This is a business. It has pricing tiers and customer workspaces.

Now the part that should get your attention. The core technique is called device code phishing, and it abuses a legitimate Microsoft login feature.

Here’s how it plays out. You get an email or message that looks routine: a document to review, a meeting to join. It sends you to Microsoft’s real login page and asks you to enter a short code. That code was generated by the attacker’s system. When you type it in and approve, Microsoft does exactly what it’s designed to do: it hands the authentication token to the device that requested the code. That device is the attacker’s, not yours.

Because you logged in on Microsoft’s genuine page and approved it yourself, standard MFA doesn’t fire. You already passed the check. There’s no fake password field to catch, no lookalike domain to spot. That’s why this technique is spreading. It defeats the one control most small businesses rely on.

If you run a law office, an accounting firm, or a medical practice, this is your nightmare scenario. Once they’re in the mailbox, they read everything: client files, financial details, wire instructions. Then they use it to send fraud that looks like it came from you. The persistent token access means they can stay logged in even after you change your password. Kicking them out takes more than a reset.

The good news: this is stoppable, but not with a single toggle. It takes locking down how authentication works in your Microsoft 365 tenant, which is exactly the kind of thing KOM Cloud Service configures for clients. Microsoft lets administrators block the device code flow entirely through Conditional Access policies. Most small businesses have no legitimate use for it. Combine that with sign-in monitoring that flags a login from a strange location or a token being used somewhere it shouldn’t, and the attack falls apart before the criminal reaches your inbox.

What to do right now

  • Block device code authentication in Microsoft 365. Set a Conditional Access policy to disable the device code flow tenant-wide. Almost no small business needs it, and it shuts this exact attack down.
  • Turn on sign-in and token monitoring. You want alerts when a login comes from an unusual place or a session token gets reused elsewhere. This is what endpoint and identity detection is for.
  • Never enter a code you didn’t request. If a message tells you to type a code into a Microsoft page, stop. A real login you started never works that way.
  • Only install software from the developer’s real site. The Mac attacks this week both rode on fake download pages and paid ads. A verified badge means nothing.
  • Train your team on “approve this permission” prompts. ConsentFix works because people click approve on autopilot. If a login or permission request shows up out of nowhere, treat it as suspicious.

If you’re relying on MFA alone and assuming that covers you, this is the story that shows why it doesn’t. Figuring out where your Microsoft 365 setup actually stands is exactly what we’re here for. Book a free 15-minute consult and we’ll take a look.

Talk to the person who'll actually run your IT.

Book a free 15-minute consult. No sales pitch from a stranger, just a straight conversation about what your business needs.

Book your free consult

Or call (732) 701-7012

Monthly agreements, not multi-year lock-ins  ·  No call centers, ever