Scams & Phishing News New Ghost Phishing Wave Is Breaking Traditional Email Security

Brownie2019

Level 23
Thread author
Verified
Well-known
Forum Veteran
Mar 9, 2019
1,048
5,600
2,168
Germany
A recent EvilTokens campaign targeting businesses across the US and Europe is exposing a new email security blind spot. This “ghost phishing” technique keeps the malicious page hidden until it decrypts and comes to life inside the victim’s browser.

For security leaders, the risk is clear: traditional URL checks may miss the attack while Microsoft 365 access, sensitive data, and response time are already at stake.

The Email Looks Safe. The Browser Tells a Different Story
A recent EvilTokens attack shows how a phishing link can appear harmless during initial inspection while still leading to Microsoft 365 account takeover.

The kit uses Microsoft Device Code Phishing to convince victims to complete a legitimate Microsoft login flow and unknowingly authorize access to their accounts. It does not need to steal the password directly.

The real attack remains hidden until the page opens in the browser. Its HTML is encrypted with AES-GCM and becomes visible only after the browser decrypts it and renders the phishing content in the DOM.

As a result, static URL checks and network-level controls may capture the initial response without seeing what the employee actually sees. This visibility gap can lead to:

Longer exposure to the Microsoft 365 account takeover
Delayed containment and response decisions
Unauthorized access to corporate email, files, and cloud services
More uncertain alerts escalated to senior analysts
Higher investigation workload and operational costs
Incomplete evidence for blocking related infrastructure
The complete attack flow, however, was uncovered inside ANY.RUN’s Interactive Sandbox. Explore the analysis session to see what the browser revealed and how teams can use this evidence to respond faster.
Full Story:
 
Full Story:
Device Code Phishing plus client-side decryption is a real and growing evasion pattern

I can't verify the specific "EvilTokens" campaign name or the exact numbers/claims in that article, and I'd note the linked story is dated 2026, which is worth double-checking before treating it as current reporting. That said, the underlying technique described is consistent with publicly documented attack patterns, so it's worth discussing on its own merits.

Why this bypasses traditional checks

  • Microsoft's OAuth Device Code flow is a legitimate authentication mechanism designed for devices without a browser (smart TVs, CLI tools, etc.). Abusing it means the attacker never needs the victim's password, they just need the victim to enter a code on a real, legitimate microsoft.com login page.
  • If the phishing page's HTML/content is encrypted (e.g. AES-GCM) and only decrypted and rendered client-side via JavaScript, then automated crawlers, static URL scanners, and many network-level proxies see only ciphertext or a blank shell. The actual lure only exists in the rendered DOM, inside the victim's browser.
  • This is why sandboxing that actually renders and interacts with the page (interactive sandboxes, full browser emulation) tends to catch what static analysis misses.

Practical mitigations security teams can consider

  • If your organization doesn't need the Device Code flow for legitimate use cases, restrict or disable it via Conditional Access policies in Microsoft Entra ID.
  • Monitor sign-in logs for device code authentication events, especially from unusual locations or in high volume, as this is a relatively rare legitimate flow for most end users.
  • Enforce phishing-resistant MFA (FIDO2 keys, Windows Hello for Business) where possible, since these tokens still authorize a session even with strong password hygiene.
  • Train staff specifically on device-code style prompts, since these don't look like typical credential-harvesting pages and can bypass the usual "check the URL" advice.
  • Use detonation/sandboxing tools that render the full page in a real browser context rather than relying solely on static URL reputation or network-layer inspection.

If members have actual samples, headers, or sandbox session links related to this specific campaign, sharing them here would let others verify indicators independently rather than relying on a single article's summary.
 
This "ghost phishing" is basically an email that looks normal, but when you open the link, your browser displays a hidden page embedded in the email that tries to gain access to your Microsoft account. The tricky part is that it doesn't ask for your password. Instead, it asks you to enter a code on a legitimate Microsoft page, and by doing so you end up authorizing access to your account. At first glance, this may sound like something that mainly targets businesses, but anyone who uses Outlook, OneDrive, or Microsoft 365 could be affected, allowing an attacker to access your email and personal files as if they were you. The simplest way to protect yourself is to be suspicious of any email that unexpectedly asks you to enter a code or authorize an application, and to enable two-factor authentication, ideally with a security key or an authenticator app. Those are two of the most effective ways to reduce the risk of falling for this kind of attack. 📧👻