Phase 1: Target Verification and AI Lures
Threat actors begin their operations by validating target corporate accounts up to ten to fifteen days before executing the primary phishing phase. This ensures that only active, high-value corporate personas are targeted, reducing noise and detection risk. Additionally, the operators leverage advanced generative AI models to translate captured mailbox data and draft hyper-personalized phishing lures. These communications are customized specifically to the target's business functions, such as procurement, accounts payable, or executive operations.
Phase 2: Reputation Hijacking and Email Delivery
To bypass strict secure email gateway controls, the attackers impersonate active vendors. While security frameworks such as SPF, DKIM, and DMARC may flag anomalies, the platform quietly pivots the reply-to address paths away from the spoofed vendor. The phishing emails contain minor, randomized mutations (including unique hex strings and signature graphics like pumber.png) to neutralize static file signatures. Crucially, the phishing links utilize anchor text pointing to a legitimate supplier's SharePoint domain, but the actual hyperlink redirects the user to a rogue SharePoint tenant controlled by the adversary inside an independent Microsoft 365 workspace. This allows the attacker to inherit the trusted reputation of Microsoft's root domain.
Phase 3: The Seven-Layer Client-Side Screening Process
Upon clicking the malicious link, the victim is directed to a landing page hosted via Cloudflare Workers. Before initiating any phishing action, the platform executes a rigorous, multi-layered anti-analysis routine to screen out security crawlers, sandboxes, and defensive researchers. This defense evasion relies on seven distinct steps:
Layer 1 (User-Agent Filtering): A regular expression script scans incoming requests to block headless browsers, web scrapers, and automated command-line utilities.
Layer 2 (Automation Detection): The script validates the browser's navigator.webdriver property to identify automated execution frameworks.
Layer 3 (Feature Fingerprinting): The environment is checked for the presence of standard browser APIs, looking for the absence of window.chrome, navigator.vendor, or specific pointing device APIs.
Layer 4 (Window Dimension Analysis): The system catches automated sandboxes by identifying default headless viewport sizes that report dimensions of 0x0.
Layer 5 (Interaction Telemetry): The core payload remains locked until the system registers at least three mouse movements or one touch interaction from a real user.
Layer 6 (Timing Gate): The system enforces a mandatory delay, requiring at least 800 milliseconds to elapse from page load before payload activation.
Layer 7 (Movement Trajectory Validation): The script analyzes coordinates to verify organic, non-linear mouse paths, blocking automated, perfectly straight linear movements.
Once all seven layers are successfully validated, the client-side JavaScript payload (which is XOR-encrypted with a 16-byte key) is decrypted dynamically in memory.
Phase 4: Device Code Grant Abuse and MFA Bypass
The decrypted script extracts the victim's email address from the URL parameters (using the ?hint= parameter) and initiates a POST request to the C2 endpoint (/api/device/start) containing a hardcoded operator UUID. The platform then generates a legitimate Microsoft device login code and presents it to the victim alongside a 15-minute countdown clock. The user is instructed to navigate to microsoft.com/devicelogin to enter the code. Because the authentication takes place entirely on Microsoft's official infrastructure, any corporate multi-factor authentication prompt is fully validated by the victim. Once authorized, Microsoft's authorization servers issue access, refresh, and Primary Refresh Tokens directly to the attacker client ID, completely bypassing traditional endpoint controls.
Phase 5: Session Upgrades and Long-Term Persistence
With initial access established, the threat actor utilizes the ARToken administrative panel to execute backend commands, transitioning from basic access tokens to a permanent Primary Refresh Token. The platform leverages endpoints such as /prt/setup, /prt/refresh, and /prt/cookie to cement long-term persistence. This specialized session state is designed to survive subsequent password resets, ensuring the adversary maintains continuous access to the victim's tenant.