Ghost Phishing Wave Evades Traditional Email Security
What happened
ANY.RUN researchers analyzed a recent EvilTokens campaign using a “ghost phishing” technique that hides the malicious page until it decrypts and renders inside the victim’s browser.
The campaign targets Microsoft 365 users through device code phishing. Instead of stealing a password directly, the phishing kit tricks the victim into completing a legitimate Microsoft login flow and authorizing attacker access to the account. That can give the attacker access to email, files, and cloud services without needing the victim’s password.
The key evasion technique is browser-side concealment. The phishing page’s HTML is encrypted with AES-GCM and only becomes visible after the victim opens the page in a browser, where it decrypts and appears in the DOM. This means static URL checks, email gateways, and network-level inspection may see a harmless initial response while missing the actual phishing content shown to the user.
ANY.RUN’s sandbox analysis exposed the hidden behavior by showing the decrypted page inside the browser, the DOM changes, the Fetch/XHR requests, and the Microsoft device-code flow tied to the /api/device/start endpoint. The activity has been observed across the United States and Europe, with exposure concentrated in technology, manufacturing, education, banking, consulting, financial services, and managed security providers.
Who is affected
Organizations using Microsoft 365 are directly affected, especially if employees can be tricked into completing device code authentication prompts.
The campaign is especially relevant to technology companies, manufacturers, schools, banks, consulting firms, financial services organizations, and MSSPs, where one compromised account can expose sensitive mailboxes, files, customer data, or internal workflows.
Security teams relying mainly on email inspection, URL reputation, and static scanning may be exposed because the malicious content may not appear until browser execution.
Why CISOs should care
This campaign shows why phishing detection can no longer stop at the email or initial URL response. The real attack may only appear after the link is opened, decrypted, and rendered inside the browser.
For CISOs, the device code phishing angle is especially important. Attackers do not need to capture the user’s password if they can convince the user to authorize access through a legitimate Microsoft flow.
The encrypted HTML technique also creates an investigation gap. If analysts only see a clean URL scan, they may underestimate the incident, delay containment, or miss related infrastructure.
The business risk is account takeover. A single Microsoft 365 compromise can enable email access, file theft, internal phishing, business email compromise, fraud, and lateral movement into other cloud services.
3 practical actions
Investigate suspicious links in browser-aware sandboxes: Security teams should use tools that capture DOM changes, Fetch/XHR requests, decrypted page content, and device-code flows rather than relying only on static URL scans.
Harden Microsoft device code authentication: CISOs should review whether device code flow is needed, restrict it where possible, monitor unusual device code sign-ins, and alert on suspicious OAuth or token activity.
Treat clean URL scans as incomplete evidence: SOC teams should update phishing playbooks so links with inconclusive static results are escalated for dynamic browser inspection, especially when tied to Microsoft 365 login prompts.
Recent cybersecurity news:


