Threat Analysis: ARToken M365 Phishing Platform, Avalon Ransomware Framework, and a 2-Million-Device Botnet, What UK SMBs Need to Know
Hello, Mauven here.
This is your Daily Threat Analysis for the 3rd of July 2026.
Three items in today’s feeds warrant your attention. Two are active attack campaigns with direct UK SMB exposure. The third is a law enforcement action with implications that most of the coverage is not spelling out clearly enough. I will take them in order of the risk they present to a typical UK small or medium business.
ARToken: The Platform That Makes Your Microsoft 365 MFA Irrelevant
Cisco Talos published analysis this week of ARToken, a phishing-as-a-service platform that shares infrastructure and operational patterns with the previously documented EvilTokens platform. If you have not heard of EvilTokens, the short version is this: it is a tool for conducting device code phishing against Microsoft 365 at scale, offered as a managed service to criminal affiliates.
ARToken exposes over 80 API endpoints through a React-based dashboard. Those endpoints enable device code phishing, Primary Refresh Token persistence, email access, business email compromise operations, and SharePoint data exfiltration. The platform handles the operational complexity so that the person deploying it does not need to understand the underlying technique.
The technique itself is worth understanding. Device code authentication is a legitimate Microsoft 365 flow designed for devices that cannot display a browser login, think smart TVs, printers, some IoT equipment. The user is shown a code and directed to a Microsoft URL to authenticate. ARToken abuses this by sending phishing emails that trick targets into completing a device code flow that actually authenticates the attacker’s session, not the user’s device. The user’s second factor is entered and validated as normal. The attacker receives the authenticated token. Your MFA did its job perfectly. You were still compromised.
The advisory attributes this to infrastructure overlapping with EvilTokens. What it does not say in the headline is that device code phishing has been an observable TTP in business email compromise campaigns targeting UK professional services since at least 2024. The ARToken platform is not a new technique. It is a productised delivery mechanism for a known technique, which means the barrier to deployment has dropped considerably.
What this means for UK SMBs: If your Microsoft 365 tenancy allows device code authentication flows for all users, you are exposed. Most default tenant configurations permit this. Restricting or blocking the device code flow entirely, through Conditional Access policies, is the direct mitigation. If your IT provider manages your Microsoft 365 and has not raised this with you, ask them why not. The NCSC has published guidance on securing Microsoft 365 tenancies. The fact we are still having this conversation tells you everything about how seriously the configuration recommendations are being actioned.
Immediate action: Review your Entra ID Conditional Access policies. If you do not have a policy explicitly restricting device code authentication to managed, compliant devices, or blocking it entirely, you are running an open door.
Avalon: Ransomware Disguised as a Legal Document, and Your Attachment Scanner Won’t Catch It
Blackpoint Cyber published analysis of a framework they have named Avalon, a multi-stage attack chain that begins with a spoofed legal document and ends with a ransomware payload under the CrownX banner. The researchers describe it as a previously undocumented framework, and the delivery mechanism is worth paying attention to.
The attack chain begins with a phishing email referencing legal proceedings, contracts, or related documentation, the kind of email that a small business owner or office manager would reasonably open. The document itself is hosted on Proton Drive. That matters because Proton Drive is a legitimate, well-regarded service with a clean reputation. Many email gateways and attachment scanners will not flag a link to Proton Drive as suspicious.
The download is a password-protected archive. Inside is an ISO image. The ISO contains an MSBuild project that executes malicious payloads entirely in memory, no conventional executable file is written to disk. Avalon consolidates credential theft, lateral movement, and defence evasion capabilities in a single framework, and the intrusion can end in ransomware deployment via CrownX.
The memory-only execution is deliberate. It is specifically designed to evade endpoint detection tools that rely on file scanning. If your endpoint protection is signature-based and file-focused, it may not generate an alert until lateral movement is already underway.
What this means for UK SMBs: Professional services firms, solicitors, accountants, consultancies, letting agents, are the target profile here. These are businesses that routinely receive unsolicited legal documents from parties they have not previously dealt with. The social engineering is highly plausible because the scenario is normal business practice.
ISO files delivered via password-protected archives are a well-documented evasion technique. The NCSC has flagged ISO-based delivery mechanisms in previous advisories. The addition of memory-only execution and legitimate hosting infrastructure raises the difficulty of detection.
Immediate action: Train staff to treat password-protected archives from external senders as requiring verification before opening, regardless of the apparent source. Review whether your endpoint protection has behavioural detection capabilities, not just file scanning. Confirm that macro execution and ISO mounting policies are configured appropriately on business devices.
The NetNut Botnet Takedown: What the Coverage Is Missing
The Register reported today that Google and the FBI have taken action against a residential proxy network linked to NetNut, involving approximately 2 million compromised devices. Other residential proxy brands may be relying on the same underlying infrastructure.
Residential proxy networks work by routing traffic through the internet connections of real devices, home routers, IoT devices, consumer endpoints, rather than through obvious data centre IP addresses. Legitimate residential proxy services exist and are used by businesses for various purposes. The criminal applications are the problem: they allow threat actors to conduct credential stuffing, account takeover, fraud, and reconnaissance while appearing to originate from ordinary residential or business IP addresses. Your IP reputation tools give them a clean score because the traffic genuinely is coming from a real UK broadband connection, one belonging to someone whose device was compromised without their knowledge.
The operational implication that most coverage is not stating directly: any business or individual whose device was part of this botnet was, in effect, providing cover for criminal activity. Their IP address was being used to attack other organisations. If your business uses residential or home worker internet connections without visibility into outbound traffic behaviour, you have no way of knowing whether your infrastructure has been co-opted in a similar way.
This is not an abstract concern. The RustDuck botnet analysis published in the same intelligence cycle describes a two-stage DDoS botnet actively propagating through weak passwords and known IoT vulnerabilities, CVE-2017-17215 and CVE-2018-8007 are both in its propagation toolkit. Both are years-old vulnerabilities. Both continue to work because devices are not being patched.
What this means for UK SMBs: If your business has internet-facing routers, IoT devices, or CCTV systems that have not been updated in the last 12 months, check them today. Default credentials and unpatched firmware are the primary propagation vectors. If your IT provider or MSP manages network devices on your behalf, ask them to confirm that firmware update processes are in place and being followed.
A Note on the Broader Pattern
All three of today’s items share a common characteristic: they are designed to look normal. Device code phishing looks like a routine Microsoft authentication request. Avalon looks like a legal document from a recognisable service. Botnet traffic looks like ordinary residential internet use.
The adversaries operating at this level are not relying on obviously suspicious behaviour to succeed. They are relying on the gap between what organisations believe their security controls do and what those controls actually do in practice. Closing that gap requires visibility into your environment, not just tools deployed at the perimeter.
If you have questions about any of today’s items, the sources listed below contain the technical detail. If you need to take something to your board or your IT provider, the three action points above are the starting position.
Before the next story: if Threat Analysis is useful to you, follow the show wherever you listen so tomorrow’s briefing lands automatically, and pass it to someone who needs the heads-up.
Sources
| Source | Publication | Link |
|---|---|---|
| Cisco Talos | Inside an affiliate panel targeting Microsoft 365, ARToken | https://blog.talosintelligence.com/artoken-inside-an-eviltokens-affiliate-panel-targeting-microsoft-365/ |
| Blackpoint Cyber | Vibe Coded Extortion: Path from Legal Lure to CrownX Ransom Capabilities | https://blackpointcyber.com/blog/avalons-path-from-legal-lure-to-crownx-ransom-capabilities/ |
| The Register | NetNut cracked as Google and FBI target 2 million-device botnet | https://www.theregister.com/security/2026/07/03/netnut-cracked-as-google-and-fbi-target-2-million-device-botnet/5266414 |
| Abnormal Security | Blacksite: New AiTM Phishing Kit Evades URL Scanners via Cloaked.gg | https://abnormal.ai/es/blog/blacksite-aitm-phishing-kit-cloaked-gg |
| LevelBlue / SpiderLabs | AsyncRAT and Remcos Delivered in Multi-Stage Phishing Campaign | https://www.levelblue.com/blogs/spiderlabs-blog/asyncrat-and-remcos-delivered-in-multi-stage-phishing-campaign |