IntelSecurity IncidentRU
HIGHSecurity Incident·priority

Phishing-as-a-Service and new stealers target Microsoft 365 and power grids—how far will the cyber wave spread?

Intelrift Intelligence Desk·Friday, July 3, 2026 at 02:47 PMEurasia & Latin America (cross-regional cyber targeting)4 articles · 3 sourcesLIVE

A cluster of cybersecurity reporting on July 3, 2026 highlights a fast-evolving ecosystem of credential theft and phishing tooling aimed at high-value targets. Researchers described “ARToken,” a phishing-as-a-service (PhaaS) platform that appears to operate as an affiliate of the EvilTokens phishing operation, with a specific focus on compromising Microsoft 365 environments. In parallel, Jamf Threat Labs flagged “PamStealer,” a new macOS information stealer distributed via a compiled AppleScript (.scpt) that impersonates the legitimate “Maccy” utility to harvest Mac login credentials. Separately, “Armored Likho” was attributed to attacks targeting government agencies and the electric power sector across Russia, Brazil, and Kazakhstan, blending financially motivated lures with more targeted intrusions. Geopolitically, the common thread is that cybercrime infrastructure is increasingly being packaged for scale while still being tailored for strategic sectors and state-adjacent institutions. Microsoft 365 compromise attempts matter because they can enable persistent access, identity-based lateral movement, and downstream access to operational systems used by governments and critical infrastructure operators. The Armored Likho targeting of the electric power sector elevates the risk profile from “data theft” to “operational disruption,” even if the articles emphasize intrusion rather than kinetic effects. Kaspersky’s attribution and the cross-country footprint suggest threat actors are exploiting uneven defensive maturity and local identity ecosystems, benefiting from the same monetization pathways while probing for sector-specific weaknesses. Market and economic implications are indirect but potentially material through insurance, incident response, and the cost of identity security. Organizations reliant on Microsoft 365—spanning enterprise IT, government back offices, and contractors—face higher demand for security tooling, forcing budget reallocations toward email security, identity governance, and endpoint detection. For the electric power sector, even limited breaches can raise operational risk premia and increase the likelihood of costly remediation, including credential resets and segmentation projects. While the articles do not provide explicit price moves, the direction is toward higher cyber risk costs for CISOs and IT procurement cycles, with potential knock-on effects in cybersecurity equities and vendors tied to identity and endpoint protection. The next watchpoints are whether these campaigns translate into broader compromises of Microsoft 365 tenants, and whether the power-sector targeting expands into operational technology (OT) environments. Indicators to monitor include spikes in EvilTokens/affiliate infrastructure domains, new PhaaS landing pages, and the appearance of additional macOS stealers using AppleScript impersonation techniques. For defenders, trigger points include anomalous OAuth consent grants, unusual mailbox rule creation, and repeated credential harvesting patterns tied to “Maccy” or similar decoys. Over the coming days to weeks, escalation risk rises if threat actors chain phishing access into privilege escalation and persistence across government and utilities, while de-escalation would be signaled by takedowns, rapid domain sinkholing, and a measurable drop in successful credential theft telemetry.

Geopolitical Implications

  • 01

    Identity and email ecosystems (Microsoft 365) are becoming a strategic attack surface for both criminal monetization and state-adjacent targeting.

  • 02

    Cross-regional targeting (RU/BR/KZ) suggests threat actors are scaling operations while probing sector-specific weaknesses in utilities and government back offices.

  • 03

    Electric power sector intrusions can translate into leverage during geopolitical friction, even without immediate kinetic effects.

Key Signals

  • Increase in EvilTokens/affiliate infrastructure and new PhaaS landing pages referencing Microsoft 365 workflows.
  • Telemetry spikes for OAuth consent grants, suspicious mailbox rules, and anomalous sign-ins in M365 tenants.
  • New macOS stealers using AppleScript decoys that impersonate popular utilities beyond Maccy.
  • Evidence of Armored Likho pivoting from credential theft into persistence and OT-adjacent access in utilities.

Topics & Keywords

ARTokenEvilTokensMicrosoft 365 phishingPamStealerAppleScript .scptArmored Likhoelectric power sectorJamf Threat LabsKasperskyARTokenEvilTokensMicrosoft 365 phishingPamStealerAppleScript .scptArmored Likhoelectric power sectorJamf Threat LabsKaspersky

Market Impact Analysis

Premium Intelligence

Create a free account to unlock detailed analysis

AI Threat Assessment

Premium Intelligence

Create a free account to unlock detailed analysis

Event Timeline

Premium Intelligence

Create a free account to unlock detailed analysis

Related Intelligence

Full Access

Unlock Full Intelligence Access

Real-time alerts, detailed threat assessments, entity networks, market correlations, AI briefings, and interactive maps.