New Ghost Phishing Wave Is Breaking Traditional Email Security

Source: The Hacker News

Author: info@thehackernews.com (The Hacker News)

URL: https://thehackernews.com/2026/07/new-ghost-phishing-wave-is-breaking.html

ONE SENTENCE SUMMARY:

EvilTokens uses AES-GCM “ghost phishing” and Microsoft device-code flow to bypass URL checks, requiring browser-level sandbox visibility.

MAIN POINTS:

  1. Recent EvilTokens campaigns target US and European businesses with hidden “ghost phishing.”
  2. Malicious pages appear benign until decrypted and rendered inside the victim’s browser DOM.
  3. Attack leverages Microsoft Device Code Phishing to gain Microsoft 365 access without stealing passwords.
  4. AES-GCM encrypted HTML hides phishing content from static scanners and network inspection.
  5. Visibility gaps increase exposure time, delaying containment of Microsoft 365 account takeover.
  6. Compromised accounts risk unauthorized access to email, files, and cloud services.
  7. ANY.RUN sandbox revealed decrypted DOM behavior, Fetch/XHR activity, and device-code endpoints.
  8. In-browser inspection provides DOM snapshots, HTTP requests, URLs, and detection signatures.
  9. Extracted indicators include domains, endpoints, hashes, and infrastructure for threat hunting.
  10. Auto-generated reports speed Tier 1-to-Tier 2 handoffs and reduce duplicated investigation work.

TAKEAWAYS:

  1. Relying on email/URL “clean” results is insufficient against encrypted, browser-decrypted phishing.
  2. Device-code OAuth abuse enables stealthy account takeover with legitimate Microsoft login steps.
  3. Sectors with high phishing exposure face amplified risk from single Microsoft 365 credential compromise.
  4. Sandbox tooling must include in-browser data inspection to surface DOM changes post-decryption.
  5. Faster evidence-rich SOC workflows reduce incident costs and shorten the attacker’s dwell time.