Ghost Phishing: The Invisible Threat Bypassing Traditional Email Security
A new 'ghost phishing' technique, leveraged in recent **EvilTokens** campaigns, is exposing a critical blind spot in enterprise email security. This sophisticated method hides malicious content until it's decrypted and rendered within the victim's browser, allowing phishing links to bypass traditional URL checks and potentially lead to **Microsoft 365** account takeovers.

A recent **EvilTokens** campaign targeting businesses across the US and Europe highlights a new challenge for security teams: phishing attacks that appear benign during initial inspection.
This βghost phishingβ technique keeps the malicious page hidden until it decrypts and comes to life inside the victimβs browser. For security leaders, the risk is clear: traditional URL checks may miss the attack while **Microsoft 365** access, sensitive data, and response time are already at stake.
## The Email Looks Safe. The Browser Tells a Different Story
An **EvilTokens** attack demonstrates how a phishing link can appear harmless during initial inspection, yet still lead to **Microsoft 365** account takeover. The kit utilizes **Microsoft Device Code Phishing** to trick victims into completing a legitimate Microsoft login flow, unknowingly authorizing access to their accounts without directly stealing passwords.
The true attack remains hidden until the page fully renders in the browser. Its HTML is encrypted with **AES-GCM** and only becomes visible after the browser decrypts and displays the phishing content in the Document Object Model (DOM).
This visibility gap means static URL checks and network-level controls may capture the initial response without seeing what the employee actually sees. This can lead to:
* **Longer exposure** to **Microsoft 365** account takeover
* **Delayed containment** and response decisions
* **Unauthorized access** to corporate email, files, and cloud services
* More uncertain **alerts escalated** to senior analysts
* Higher investigation **workload and operational costs**
* **Incomplete evidence** for blocking related infrastructure
The complete attack flow, however, was successfully uncovered inside **ANY.RUNβs Interactive Sandbox**. Analyzing the session reveals what the browser exposed and how teams can use this evidence for faster response.

## Where Ghost Phishing Is Hitting Hardest
**ANY.RUNβs Threat Intelligence** indicates recent **EvilTokens** activity is concentrated across the US and Europe, targeting diverse sectors including technology, manufacturing, education, banking, consulting, financial services, and managed security providers.

The data reveals significant phishing exposure across these industries. Based on **ANY.RUNβs** sandbox submissions from 15,000 organizations, phishing exposure in 2026 reached:
* **75.6%** in consulting
* **72.8%** in financial services
* **71.9%** in manufacturing
* **67.9%** in technology
* **66.7%** in banking
* **66.1%** among Managed Security Service Providers (MSSPs)
This makes hidden phishing particularly dangerous for these sectors. A single compromised **Microsoft 365** account can expose sensitive data, enable Business Email Compromise (BEC) and fraud, and trigger costly incident response. The longer an attack remains hidden, the greater the chance it escalates from an isolated account compromise to a wider business incident.
## Make the Ghost Visible Before the Business Pays the Price
The most effective way to expose ghost phishing is by opening suspicious links in a sandbox environment that supports in-browser data inspection. Within **ANY.RUNβs Interactive Sandbox**, analysts can move beyond the encrypted **AES-GCM** response to observe what happens after the page decrypts. They can watch the phishing content appear in the DOM, link the change to a Fetch/XHR request, and trace the Microsoft device code back to the `/api/device/start` endpoint.

The in-browser data view consolidates the full attack flow into a single investigation:
* **DOM snapshots** show when the hidden page changes and the user code appears.
* **HTTP requests** reveal the backend communication behind the device-code flow.
* **URL details** expose the final destination and triggered detection signatures.
* **Indicators** provide domains, endpoints, hashes, and infrastructure for further hunting.
Instead of manually reconstructing the attack, security teams gain direct evidence of page behavior, requests made, and artifacts that support containment and detection.

## From Browser-Level Evidence to a Clearer SOC Handoff
To facilitate the transfer of this evidence from Tier 1 to Tier 2, the investigation automatically generates a report, complete with an AI summary and recommended next steps.

Instead of rebuilding the case from raw browser data, senior analysts receive key findings, observed behavior, indicators, and response context in one comprehensive report. This accelerates handoffs, minimizes redundant work, and helps teams move from validation to containment with greater efficiency.
## Stop Ghost Phishing in the Browser Before It Reaches the Business
The **EvilTokens** case reveals an uncomfortable truth: an email can pass initial security inspections while the real attack lies dormant, waiting to execute within the browser. Without browser-level visibility, Security Operations Centers (SOCs) are forced to make high-stakes decisions with incomplete evidence.
This delay grants attackers more time to gain access, expand their reach, and transform a single compromised **Microsoft 365** account into a costly business incident. Enhanced visibility helps security leaders:
* **Shrink the exposure window** before a compromised account escalates into a wider incident.
* **Reduce pressure on senior analysts** by providing Tier 1 with sufficient evidence to resolve more cases.
* **Accelerate containment** with complete attack intelligence.