Ghost Phishing: How EvilTokens Bypasses Email Security to Target Microsoft 365 Accounts
Ghost Phishing Campaign Bypasses Email Security to Hijack Microsoft 365 Accounts
A sophisticated phishing campaign called EvilTokens is targeting businesses across the US and Europe using encrypted malware that hides inside browsers to steal Microsoft 365 credentials — without ever touching passwords.
The EvilTokens campaign represents a dangerous evolution in cybercrime tactics. Unlike traditional phishing attacks that security tools can detect at the email or URL level, this "ghost phishing" technique conceals its malicious payload until the moment a victim's browser decrypts and renders it — making conventional defenses effectively blind to the threat. To understand how this fits within the broader landscape of credential theft and deception, it helps to first understand the different types of phishing attacks targeting organisations today.
How Ghost Phishing Evades Traditional Detection
The EvilTokens attack begins with an email that appears completely safe. Security tools scanning the link at the network level see only an encrypted response and flag nothing unusual. The real danger activates only after the browser opens the page and decrypts the hidden content using AES-GCM encryption — a military-grade standard that renders the payload invisible to static URL scanners and network-level controls.
Once the page decrypts inside the browser, it deploys Microsoft Device Code Phishing. This technique convinces victims to complete what appears to be a legitimate Microsoft login process. The victim unknowingly authorises the attacker to access their Microsoft 365 account without surrendering a password directly.
The threat resembles the Trojan Horse from Greek mythology — appearing harmless from the outside, revealing itself only once it is already inside the gates.
Why Conventional Security Tools Fall Short
The consequences of a successful attack are severe. Security researchers at ANY.RUN identified the following risks from a single compromised account:
- Unauthorised access to corporate email, files, and cloud services
- Business email compromise and financial fraud
- Delayed containment due to incomplete alerts
- Higher investigation workloads for security teams
- Longer exposure windows that allow attackers to expand their reach
The core problem is architectural. Most enterprise security stacks are designed to intercept threats at the perimeter — at the email gateway, the URL scanner, or the network firewall. Ghost phishing bypasses all of these checkpoints by design. The malicious payload exists in an encrypted state until it reaches the browser, at which point perimeter defences have already passed it through.
The full attack chain was uncovered inside ANY.RUN's Interactive Sandbox, which allowed analysts to observe the page behaviour after decryption — something traditional security tools cannot do.
The Role of Device Code Phishing in the Attack Chain
Microsoft Device Code authentication was designed as a convenience feature for devices that cannot easily display a login page — smart TVs, printers, and kiosk terminals. EvilTokens exploits this legitimate workflow by generating a real Microsoft device code and presenting it to the victim as a routine authentication step.
Because the code is genuine and the Microsoft login portal is real, nothing in the authentication flow triggers a fraud alert. The victim completes the process believing they have signed in normally. The attacker, meanwhile, has received a valid OAuth token granting persistent access to the Microsoft 365 account — including email, SharePoint, Teams, and connected cloud services.
This is a meaningful departure from clone phishing techniques that replicate existing emails to deceive recipients, which rely on directing victims to credential-harvesting pages that security tools can more readily detect and block.
Which Industries Are Most at Risk
ANY.RUN's Threat Intelligence data drawn from 15,000 organisations shows that phishing exposure in 2026 has reached alarming levels across key sectors:
- Consulting firms — 75.6% exposure
- Financial services — 72.8%
- Manufacturing — 71.9%
- Technology companies — 67.9%
- Banking institutions — 66.7%
- Managed security service providers — 66.1%
EvilTokens activity is concentrated specifically in these sectors across the United States and Europe. The overlap between high phishing exposure rates and the industries EvilTokens targets is not coincidental — these organisations handle sensitive data and financial transactions that make them high-value targets.
The Cascade Effect of a Single Compromised Account
One compromised Microsoft 365 account in any of these organisations can escalate rapidly. Attackers with access to corporate email can impersonate executives, redirect payments, exfiltrate proprietary data, and move laterally through connected cloud services. The longer the attack stays hidden behind its encryption, the greater the damage potential becomes.
The encryption layer is not merely a technical convenience for attackers — it is a deliberate strategy to extend dwell time. Every hour the intrusion goes undetected is an hour the attacker can spend harvesting data, establishing persistence, and expanding access across the organisation's cloud environment.
Organisations in these sectors should also consider whether their current approach to email security compliance and regulatory obligations around data protection is sufficient in the context of threats that operate beneath the visibility threshold of conventional scanning tools.
Making the Invisible Threat Visible
The most effective countermeasure against ghost phishing is browser-level inspection using an interactive sandbox environment. ANY.RUN's platform allows security analysts to go beyond the encrypted initial response and observe exactly what the browser renders after decryption.
How Sandbox Analysis Exposes the Attack
Inside the sandbox, analysts can watch phishing content appear in the browser's Document Object Model (DOM) in real time. They can connect that change to the underlying Fetch and XHR network requests and trace the Microsoft device code back to the specific API endpoint the attacker uses. This produces concrete evidence rather than inconclusive scan results.
The investigation automatically generates a report with an AI-generated summary and recommended next steps. This accelerates the handoff from Tier 1 analysts to senior security staff by packaging key findings, observed behaviours, indicators of compromise, and response context into a single document. Security teams move from validation to active containment faster and with less duplicated effort.
For further technical context on how sandbox environments classify and attribute phishing infrastructure, Microsoft's Security Intelligence blog provides detailed threat actor reporting relevant to device code phishing and OAuth abuse campaigns.
What Security Leaders Should Do Now
The broader implication for security operations centres is significant. Ghost phishing forces a fundamental rethink of where in the attack chain visibility must exist. Scanning emails and URLs at the perimeter is no longer sufficient when the payload decrypts inside the browser after passing every upstream check.
Security leaders can use the findings from the EvilTokens campaign in three practical ways:
- Audit current detection tools to confirm whether they have any browser-level inspection capability. This is the essential starting point — if the answer is no, the organisation has a blind spot that ghost phishing is designed to exploit.
- Prioritise sandbox investment in consulting, financial services, manufacturing, and technology sectors, where elevated phishing exposure rates demand accelerated action.
- Build detection rules from the IOCs and attack patterns identified in the EvilTokens analysis to catch similar device-code phishing attempts before they result in account takeovers.
Closing the Visibility Gap
Modern phishing no longer announces itself in the email or the initial URL. The attack waits inside the browser and reveals itself only when it is already too late for traditional defences to intervene. Closing that visibility gap is now a business-critical priority for any organisation that relies on Microsoft 365 and cloud-connected services.
The question for security teams is no longer whether ghost phishing will reach their users — it is whether their current tooling can see it when it arrives.