Back to Feed
Identity & AccessJun 30, 2026

New EvilTokens Attack Exposes Browser Visibility Gap in Enterprise SOCs

EvilTokens phishing attack hides account takeover clues until browser execution, exposing SOC visibility gaps.

Summary

EvilTokens is a phishing campaign targeting Microsoft 365 users across banking, technology, education, and manufacturing sectors in the US and Europe. The attack uses AES-GCM encryption to hide malicious payloads until browser execution, making static URL analysis ineffective and creating delays in threat validation. The attack abuses Microsoft's Device Code authentication flow to gain access without directly stealing credentials.

Full text

SecurityNew EvilTokens Attack Exposes Browser Visibility Gap in Enterprise SOCs EvilTokens phishing hides takeover clues until browser execution leaving SOC teams needing deeper visibility to validate threats faster and reduce account risk. byOwais SultanJune 30, 20264 minute read Listen to this article 0:00 — ← 10s ▶ Play 10s → Speed 0.75× 1× 1.25× 1.5× 2× Voice Loading voices… Press play to start listening Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings. A new EvilTokens attack shows how modern phishing can hide critical evidence from enterprise SOCs until the page runs inside the browser. The case highlights a growing visibility gap in phishing triage: suspicious URLs may appear incomplete at first, while the real account takeover flow is revealed only after execution. For security leaders, that gap can mean slower investigations, delayed response, and higher business risk. EvilTokens Continues to Target Enterprise Organizations According to recent ANY.RUN Threat Intelligence data, EvilTokens activity remains concentrated in the United States and Europe, targeting organizations that rely heavily on Microsoft 365 for daily operations. Recent campaigns have affected industries including: Banking Technology Education Manufacturing Financial services Managed security services For these organizations, the compromise of a single Microsoft 365 account can expose sensitive business communications, cloud resources, and connected enterprise services. As attacks increasingly rely on hidden browser-side behavior, quickly validating phishing threats becomes critical for limiting business impact. Why This Creates Pressure on SOC Teams The challenge for SOC teams is speed. When a phishing page hides key evidence until browser execution, analysts cannot rely on the first URL check alone to make a confident decision. That delay can increase Tier 1 workload, push more cases to senior analysts, and slow containment when account access is at risk. For enterprise teams handling high alert volumes, even small gaps in visibility can quickly turn into higher response costs. How EvilTokens Hides Account Takeover Activity Unlike traditional phishing kits that immediately display a fake login page, EvilTokens abuses Microsoft’s legitimate Device Code authentication flow to gain access without stealing credentials directly. In this attack, the phishing page is delivered as an AES-GCM encrypted payload and remains hidden until browser-side JavaScript decrypts and renders it. That means static URL analysis may capture only the encrypted response, while the real phishing page, user code, and OAuth workflow remain invisible until execution. EvilTokens attack revealed inside ANY.RUN’s sandbox in around 1 minute with the help of in-browser data inspection This is where browser-level visibility becomes essential. With in-browser data investigation in ANY.RUN’s Interactive Sandbox, security teams can observe the complete phishing workflow after execution, validate malicious behavior, and collect the evidence needed to respond with confidence. Reduce phishing investigation delays with full browser visibility, faster threat validation, and the context your SOC needs to act before business risk grows. Improve Phishing Resilience! In a recent EvilTokens analysis, the full attack chain became visible in about a minute. Analysts could immediately review the rendered phishing page, browser-generated HTTP requests, DOM changes, and OAuth device-code activity from a single investigation interface. EvilTokens HTTP response body containing the AES-GCM-encrypted landing page From One EvilTokens Case to Wider Campaign Visibility A single EvilTokens attack can quickly point to broader phishing activity. In this analysis, the code exposed in the DOM triggered the Microsoft OAuth device-code phishing signature, giving analysts a starting point for wider investigation in ANY.RUN Threat Intelligence. URL details displayed inside ANY.RUN’s Interactive Sandbox From there, teams can search for other analyses with the same signature, review related device-code phishing activity, and identify similar code patterns across campaigns beyond EvilTokens. Search for other attacks that triggered the “Microsoft OAuth device-code phishing has been detected” signature For security leaders, this turns one suspicious URL into broader campaign visibility, helping teams improve hunting, prioritize response, and strengthen detection before similar attacks reach more users. How Full Browser Visibility Reduces SOC Risk Full browser visibility helps security teams reduce the time and uncertainty between the first alert and the response decision. With ANY.RUN’s in-browser data investigation, SOC teams can: Reduce exposure time by confirming malicious URL behavior earlier in the investigation. Lower analyst workload by cutting the manual effort needed to rebuild hidden phishing flows. Improve escalation quality by giving Tier 2 and IR teams clearer evidence from the start. Protect senior resources by helping Tier 1 analysts close or confirm more cases independently. Strengthen detection coverage by turning browser evidence and threat context into better hunting logic. Reduce business impact by acting before phishing activity turns into account compromise or wider incident response. For security leaders, the value is not just faster analysis. It is a more efficient SOC, shorter response cycles, and less risk from phishing attacks that hide their behavior inside the browser. Reduce Enterprise Risk with Faster Phishing Validation As phishing attacks continue to rely on hidden browser behavior, the ability to validate threats quickly is becoming a competitive advantage for enterprise security teams. By giving analysts full browser visibility from the start of an investigation, organizations can shorten response times, reduce unnecessary escalations, and limit the operational impact of phishing incidents. Teams using ANY.RUN report MTTD as low as 15 seconds and MTTR reduced by up to 21 minutes per case, helping SOCs move from uncertainty to action much faster. Close the browser visibility gap: Give your SOC the evidence to validate phishing faster, reduce enterprise risk, and respond before suspicious URLs become costly incidents. ANY RUNBrowserCyber AttackCybersecurityEvilTokensMicrosoft 365PhishingSOCThreat IntelligenceVulnerability Leave a Reply Cancel reply View Comments (0) Related Posts Android Apple News iPhone Security 5 Best mobile security apps in Android & iOS, Free Download There are a lot of security issues arising as we move ahead in the digital world. People are… byUzair Amir Read More Security Cyber Attacks Pandora Cyber Attack Exposes Customer Data Via Third-Party Vendor Pandora cyber attack exposes customer data via third-party breach. No passwords or payment info leaked, but phishing risks remain. byWaqas Security Cyber Attacks Russian Midnight Blizzard Breached UK Home Office via Microsoft Russian hacking group Midnight Blizzard breached the UK Home Office, stealing sensitive data. Learn how they exploited supply… byDeeba Ahmed Read More Security Pwn2Own Berlin 2025: Windows 11, VMware, Firefox and Others Hacked The beginning of Pwn2Own Berlin 2025, hosted at the OffensiveCon conference, has concluded its first two days with… byWaqas

Indicators of Compromise

  • malware — EvilTokens

Entities

EvilTokens (campaign)Microsoft 365 (product)Device Code authentication flow (technology)AES-GCM encryption (technology)