A sophisticated “ghost phishing” campaign, identified as EvilTokens, is exploiting a critical security blind spot by hiding malicious content until it activates within a victim’s browser. This emerging threat necessitates a re-evaluation of traditional email security measures, as it bypasses common detection methods and puts sensitive company data at risk. The campaign’s primary target appears to be Microsoft 365 accounts, posing a direct threat to businesses across the United States and Europe.
The EvilTokens campaign leverages a novel technique to deliver phishing attacks, making it particularly challenging for current security protocols to identify. By delaying the rendering of malicious content until it’s inside the user’s browser environment, the attack circumvents static URL analysis and network-level scanning. This creates a significant visibility gap for security teams, impacting their ability to detect and respond to account takeovers effectively.
The Deceptive Nature of Ghost Phishing
The core of the EvilTokens attack lies in its deceptive presentation and execution. Initial analysis of phishing emails often reveals seemingly legitimate links. However, these links lead to pages that remain inert until decrypted by the victim’s browser. This advanced technique, employing AES-GCM encryption, means that the malicious payload is not visible during conventional security checks.
Once decrypted within the browser, the phishing content comes to life, often initiating a Microsoft device code phishing flow. This method tricks users into granting unauthorized access to their Microsoft 365 accounts without necessarily stealing their passwords directly. The attack’s success hinges on the user’s interaction with the legitimate-looking Microsoft login process presented after the initial decryption.
The consequences of this stealthy approach are far-reaching. Security leaders face prolonged exposure to account takeover threats, resulting in delayed containment and response efforts. This can lead to unauthorized access to critical corporate resources, including emails, confidential files, and cloud-based services. Furthermore, it generates uncertain alerts, increases the investigation workload, raises operational costs, and can result in incomplete evidence for blocking related malicious infrastructure.
Instances of this “ghost phishing” have been extensively documented and analyzed within interactive sandboxing environments. These platforms provide the necessary visibility to observe the attack’s progression from initial URL access through to the decrypted browser content. Such detailed analysis is crucial for understanding the attack vectors and developing effective countermeasures.
The complete attack flow, as uncovered within ANY.RUN’s Interactive Sandbox, illustrates the crucial role of in-browser analysis. Exploring these detailed session analyses allows security teams to identify the hidden malicious elements and expedite their response to such sophisticated threats. Examining recent EvilTokens attacks and obtaining relevant Indicators of Compromise (IOCs) is an essential step for organizations seeking to bolster their defenses.
Geographic and Sectoral Impact of EvilTokens
According to ANY.RUN’s Threat Intelligence, the recent EvilTokens activity displays a clear concentration in the United States and Europe. The campaign has been observed targeting a diverse range of industries, including technology, manufacturing, education, banking, consulting, financial services, and managed security providers.
This broad targeting is concerning, especially given existing phishing exposure levels in key sectors. Data from ANY.RUN’s sandbox submissions, compiled from approximately 15,000 organizations, indicates alarmingly high phishing exposure rates. In 2026, consulting firms reported 75.6% exposure, followed by financial services at 72.8%, manufacturing at 71.9%, technology at 67.9%, banking at 66.7%, and managed security service providers (MSSPs) at 66.1%.
The convergence of hidden phishing techniques with sectors already facing high exposure significantly amplifies the threat. A single compromised Microsoft 365 account in these industries can lead to the exposure of highly sensitive data, enable sophisticated business email compromise scams, and trigger extensive and costly incident response procedures. The longer an attack remains undetected due to its hidden nature, the greater the potential for a localized breach to escalate into a significant business-wide incident.
Stopping hidden attacks like ghost phishing before they inflict damage is paramount for business continuity and data security. Organizations must prioritize solutions that extend visibility into the browser environment to counter these evolving threats effectively.
Making Hidden Threats Visible for Enhanced Security Posture
The most effective strategy for combating ghost phishing involves utilizing sandboxing solutions capable of in-browser data inspection. Platforms like ANY.RUN’s Interactive Sandbox allow security analysts to move beyond the encrypted response and observe the attack payload as it materializes within the browser’s Document Object Model (DOM). This enables them to connect the obfuscated content to specific network requests, such as Fetch/XHR, and trace the Microsoft device code flow back to its origin endpoint.
The detailed in-browser data view within these sandboxes consolidates the entire attack chain into a single, actionable investigation environment. By examining DOM snapshots, analysts can pinpoint the moment the hidden page changes and malicious user code appears. Simultaneously, HTTP requests reveal critical backend communications, while URL details expose the final destination and any triggered detection signatures.
This comprehensive view provides essential indicators, including domains, endpoints, file hashes, and related infrastructure, which are invaluable for further threat hunting and proactive defense. Instead of manually reconstructing the attack from fragmented data, security teams receive direct evidence of the phishing page’s behavior, its communication patterns, and the artifacts necessary for effective containment and detection.
To facilitate efficient escalation and collaboration, the investigation process automatically generates detailed reports. These reports include AI-generated summaries and recommended next steps, streamlining the handoff from Tier 1 analysts to Tier 2 and beyond. This ensures that senior analysts receive concise, actionable intelligence, reducing the need for redundant work and accelerating the transition from validation to containment.
The EvilTokens campaign serves as a stark reminder that email security alone is insufficient. The attack’s ability to pass initial inspection while concealing its true nature within the browser demands a more advanced approach. Security operations centers (SOCs) must have the tools to gain visibility into this browser-level activity to make informed decisions and mitigate risks effectively. Without this capability, organizations remain vulnerable to prolonged dwell times and escalating incident costs.
By implementing solutions that provide full browser evidence, security teams can significantly shrink the exposure window of compromised accounts. This not only reduces pressure on senior analysts by enabling Tier 1 to resolve more cases independently but also accelerates containment with complete attack context available from the outset. Ultimately, this leads to improved detection coverage, lower phishing response costs, and risk management grounded in concrete evidence rather than incomplete scans.
Modern phishing threats are increasingly sophisticated and no longer reveal themselves solely within the initial email or URL response. Security teams must adopt tools that extend their visibility into the browser to expose these hidden dangers before they can cause significant damage to the business. The next step for organizations is to ensure their security infrastructure includes robust capabilities for detecting and analyzing browser-based threats.

