The Hidden Phishing Attack That Passes Email Checks But Strikes in Your Browser
A new phishing campaign called EvilTokens is exploiting a critical blind spot in email security: attackers hide malicious content inside encrypted pages that remain invisible to security scanners until they decrypt in a victim's browser. This technique, known as "ghost phishing," allows attackers to target Microsoft 365 accounts across the US and Europe while traditional URL checks and network-level defenses fail to catch the threat.
How Does Ghost Phishing Actually Work?
The attack begins like any other phishing email, with a suspicious link that appears harmless during initial inspection. But here's where it gets dangerous: the malicious page's HTML code is encrypted using AES-GCM encryption, a military-grade standard. When a security tool scans the link, it sees only the encrypted response. The real attack remains completely hidden until the page opens in a victim's browser, where the encryption decrypts and the phishing content comes to life in the browser's DOM (Document Object Model).
The EvilTokens kit uses a technique called Microsoft Device Code Phishing, which tricks victims into completing what looks like a legitimate Microsoft login flow. Victims don't realize they're actually authorizing attackers to access their accounts. The attacker never needs to steal the password directly; the device code flow grants access automatically.
Why Are Security Teams Struggling to Stop It?
The visibility gap created by encryption is the core problem. Static URL checks and network-level controls can capture the initial encrypted response without ever seeing what the employee actually sees on their screen. This creates a dangerous delay between when the attack arrives and when it's detected. According to threat intelligence data, phishing exposure in 2026 has reached alarming levels across critical sectors:
- Consulting firms: 75.6% exposure to phishing attacks
- Financial services: 72.8% exposure
- Manufacturing: 71.9% exposure
- Technology companies: 67.9% exposure
- Banking sector: 66.7% exposure
- Managed security providers: 66.1% exposure
The consequences of this visibility gap are severe. A single compromised Microsoft 365 account can expose sensitive data, enable business email compromise and fraud, and trigger costly incident response efforts. The longer the attack stays hidden, the greater the chance that one account becomes a wider business incident.
How to Detect and Respond to Ghost Phishing
- Use browser-level sandboxing: Deploy interactive sandboxes that support in-browser data inspection, allowing analysts to see what happens after the page decrypts and watch the phishing content appear in the DOM
- Monitor DOM snapshots: Track when hidden pages change and user codes appear, revealing the moment the attack activates inside the browser
- Trace backend communication: Examine HTTP requests to reveal the backend communication behind the device-code flow and identify the final destination
- Automate investigation reports: Generate automated reports with AI summaries and recommended next steps to speed handoffs from Tier 1 to senior analysts
- Collect indicators of compromise: Gather domains, endpoints, hashes, and infrastructure details for further hunting and detection rule creation
The most effective defense is to expose ghost phishing before it costs the business. Inside interactive sandboxes, security analysts can move beyond the encrypted response and see what happens after decryption. They can watch the phishing content appear in the DOM, connect the change to backend requests, and trace the Microsoft device code back to its source endpoint.
What Does This Mean for Your Organization?
The EvilTokens case exposes an uncomfortable truth: an email can pass inspection while the real attack waits inside the browser. Without browser-level visibility, security operations centers (SOCs) are forced to make high-stakes decisions with incomplete evidence. That delay gives attackers more time to gain access, expand their reach, and turn one compromised Microsoft 365 account into a costly business incident.
Organizations need to shrink the exposure window before a compromised account becomes a wider incident. This means giving Tier 1 analysts enough evidence to resolve more cases without escalation, accelerating containment with complete attack context available from the first alert, and improving detection coverage using browser behavior and repeatable attack patterns.
Modern phishing no longer reveals itself fully in the email or initial URL response. Security teams need visibility that follows the attack into the browser and exposes it before the business pays the price.