Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

New Ghost Phishing Wave Exposes Hidden Vulnerability in Traditional Email Security


A new type of phishing technique known as "ghost phishing" has emerged, targeting users across the US and Europe. Learn how to protect your organization from this sophisticated attack vector.

  • Ghost phishing "EvilTokens" attack vector is being targeted by attackers across the US and Europe, exposing a blind spot in traditional email security protocols.
  • The attack appears harmless during initial inspection but decrypts and comes to life inside the victim's browser, gaining unauthorized access to Microsoft 365 accounts and critical resources.
  • The attack uses "Microsoft Device Code Phishing" to convince victims to complete a legitimate login flow, authorizing access to their accounts without stealing passwords directly.
  • Traditional email security measures may capture only the initial response, rendering it invisible to static URL checks and network-level controls.
  • The attack can lead to several negative consequences, including prolonged exposure, delayed containment, unauthorized access, uncertain alerts, higher investigation costs, and incomplete evidence for blocking related infrastructure.



  • The email security landscape has undergone a significant shift, as a new type of phishing technique known as "ghost phishing" has emerged and is currently being targeted by attackers across the United States and Europe. This sophisticated attack vector has been dubbed "EvilTokens" and is designed to deceive even the most discerning users.

    According to recent data from ANY.RUN's Threat Intelligence, EvilTokens has already exposed a significant blind spot in traditional email security protocols. The phishing link appears harmless during initial inspection, but the malicious page remains hidden until it decrypts and comes to life inside the victim's browser. This creates an opening for attackers to gain unauthorized access to Microsoft 365 accounts, sensitive data, and other critical resources.

    The EvilTokens campaign is utilizing a technique known as "Microsoft Device Code Phishing," which convinces victims to complete a legitimate Microsoft login flow and unknowingly authorize access to their accounts. The attack does not require the password to be stolen directly, but rather relies on the victim's interaction with the malicious page.

    Once the page opens in the browser, its HTML is encrypted using AES-GCM, rendering it invisible to static URL checks and network-level controls. This means that traditional email security measures may capture only the initial response without revealing what the employee actually sees.

    As a result, the attack can lead to several negative consequences, including:

    * Longer exposure to Microsoft 365 account takeover
    * Delayed containment and response decisions
    * Unauthorized access to corporate email, files, and cloud services
    * More uncertain alerts escalated to senior analysts
    * Higher investigation workload and operational costs
    * Incomplete evidence for blocking related infrastructure

    The EvilTokens campaign is particularly concerning because it highlights a significant gap in traditional email security protocols. The attack can remain hidden until the page opens in the browser, allowing attackers to gain access to critical resources without being detected.

    However, researchers have been able to uncover more information about the attack using ANY.RUN's Interactive Sandbox. By analyzing the decrypted HTML DOM and tracing the Microsoft device code back to the /api/device/start endpoint, security teams can gain a better understanding of how the page behaves and what it requests.

    The analysis session also reveals that the full attack flow can be exposed by opening suspicious links in a sandbox that supports in-browser data inspection. This allows analysts to watch the phishing content appear in the DOM, connect the change to a Fetch/XHR request, and trace the Microsoft device code back to its source.

    Furthermore, ANY.RUN's Threat Intelligence has found that EvilTokens is concentrated across several regions, including technology, manufacturing, education, banking, consulting, financial services, and managed security providers. This overlap highlights the importance of addressing this vulnerability in all sectors.

    In response to this emerging threat, security leaders are advised to take immediate action to address the ghost phishing blind spot. By reducing exposure, incident costs, and account takeover risk, organizations can minimize the impact of this attack.

    To achieve this, teams must close the visibility gap by using sandboxing tools that support in-browser data inspection. This allows analysts to gather complete evidence of what happens after the page decrypts and can help prevent further damage.

    By taking proactive steps to address ghost phishing, security teams can ensure that their organizations remain protected against this emerging threat.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/New-Ghost-Phishing-Wave-Exposes-Hidden-Vulnerability-in-Traditional-Email-Security-ehn.shtml

  • https://thehackernews.com/2026/07/new-ghost-phishing-wave-is-breaking.html


  • Published: Wed Jul 8 10:41:20 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us