A recent EvilTokens campaign targeting businesses across the US and Europe is exposing a new email security blind spot. This “ghost phishing” technique keeps the malicious page hidden until it decrypts and comes to life inside the victim’s browser.
For security leaders, the risk is clear: traditional URL checks may miss the attack while Microsoft 365 access, sensitive data, and response time are already at stake.
The Email Looks Safe. The Browser Tells a Different Story
A recent EvilTokens attack shows how a phishing link can appear harmless during initial inspection while still leading to Microsoft 365 account takeover.
The kit uses Microsoft Device Code Phishing to convince victims to complete a legitimate Microsoft login flow and unknowingly authorize access to their accounts. It does not need to steal the password directly.
The real attack remains hidden until the page opens in the browser. Its HTML is encrypted with AES-GCM and becomes visible only after the browser decrypts it and renders the phishing content in the DOM.
As a result, static URL checks and network-level controls may capture the initial response without seeing what the employee actually sees. This visibility gap can lead to:
- Longer exposure to the Microsoft 365 account takeover
- Delayed containment and response decisions
- Unauthorized access to corporate email, files, and cloud services
- More uncertain alerts escalated to senior analysts
- Higher investigation workload and operational costs
- Incomplete evidence for blocking related infrastructure
The complete attack flow, however, was uncovered inside ANY.RUN’s Interactive Sandbox. Explore the analysis session to see what the browser revealed and how teams can use this evidence to respond faster.
Check recent EvilTokens attack and get relevant IOCs
![]() |
| Complicated ghost phishing revealed inside ANY.RUN’s sandbox |
Where Ghost Phishing Is Hitting Hardest
ANY.RUN’s Threat Intelligence shows recent EvilTokens activity concentrated across the US and Europe, targeting technology, manufacturing, education, banking, consulting, financial services, and managed security providers.
![]() |
| ANY.RUN’s TI shows threat activity targeting specific regions |
The overlap is hard to ignore. Based on ANY.RUN’s sandbox submissions data from 15,000 organizations, phishing exposure in 2026 reached 75.6% in consulting, 72.8% in financial services, 71.9% in manufacturing, 67.9% in technology, 66.7% in banking, and 66.1% among MSSPs.
This makes hidden phishing especially dangerous for these sectors. One compromised Microsoft 365 account can expose sensitive data, enable business email compromise and fraud, and trigger costly incident response.
The longer the attack stays hidden, the greater the chance that one account becomes a wider business incident.
Stop hidden phishing before it costs your business.
Reduce exposure, incident costs, and account takeover risk.
Make the Ghost Visible Before the…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]


