Source: The Hacker News
Author: info@thehackernews.com (The Hacker News)
URL: https://thehackernews.com/2026/07/new-ghost-phishing-wave-is-breaking.html
ONE SENTENCE SUMMARY:
EvilTokens uses AES-GCM “ghost phishing” and Microsoft device-code flow to bypass URL checks, requiring browser-level sandbox visibility.
MAIN POINTS:
- Recent EvilTokens campaigns target US and European businesses with hidden “ghost phishing.”
- Malicious pages appear benign until decrypted and rendered inside the victim’s browser DOM.
- Attack leverages Microsoft Device Code Phishing to gain Microsoft 365 access without stealing passwords.
- AES-GCM encrypted HTML hides phishing content from static scanners and network inspection.
- Visibility gaps increase exposure time, delaying containment of Microsoft 365 account takeover.
- Compromised accounts risk unauthorized access to email, files, and cloud services.
- ANY.RUN sandbox revealed decrypted DOM behavior, Fetch/XHR activity, and device-code endpoints.
- In-browser inspection provides DOM snapshots, HTTP requests, URLs, and detection signatures.
- Extracted indicators include domains, endpoints, hashes, and infrastructure for threat hunting.
- Auto-generated reports speed Tier 1-to-Tier 2 handoffs and reduce duplicated investigation work.
TAKEAWAYS:
- Relying on email/URL “clean” results is insufficient against encrypted, browser-decrypted phishing.
- Device-code OAuth abuse enables stealthy account takeover with legitimate Microsoft login steps.
- Sectors with high phishing exposure face amplified risk from single Microsoft 365 credential compromise.
- Sandbox tooling must include in-browser data inspection to surface DOM changes post-decryption.
- Faster evidence-rich SOC workflows reduce incident costs and shorten the attacker’s dwell time.