[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fYgmFye2wFcQ-gb2T_LVu3J9CKffyXveloFpiVACmNrE":3},{"article":4,"iocs":50},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":27,"category":28,"article_tags":32},"34de6509-6fea-4760-bc7a-a0a73e31c7bc","New Ghost Phishing Wave Is Breaking Traditional Email Security","new-ghost-phishing-wave-is-breaking-traditional-email-security-a4bf32","A recent EvilTokens campaign targeting businesses across the US and Europe is exposing a new email security blind spot. This “ghost phishing” technique keeps the malicious page hidden until it decrypts and comes to life inside the victim’s browser. For security leaders, the risk is clear: traditional URL checks may miss the attack while Microsoft 365 access, sensitive data, and response time","A new 'ghost phishing' campaign by the EvilTokens threat actor is bypassing traditional email security by hiding malicious pages until they decrypt within the victim's browser. This technique, which leverages Microsoft Device Code Phishing, allows attackers to gain unauthorized access to Microsoft 365 accounts without directly stealing passwords. The attack flow, observed in ANY.RUN's sandbox, targets businesses across the US and Europe, particularly in sectors like consulting, financial services, and manufacturing.","New 'ghost phishing' campaign uses encrypted pages to bypass email security.","New Ghost Phishing Wave Is Breaking Traditional Email Security The Hacker NewsJul 08, 2026 A recent EvilTokens campaign targeting businesses across the US and Europe is exposing a new email security blind spot. This “ghost phishing” technique keeps the malicious page hidden until it decrypts and comes to life inside the victim’s browser. For security leaders, the risk is clear: traditional URL checks may miss the attack while Microsoft 365 access, sensitive data, and response time are already at stake. The Email Looks Safe. The Browser Tells a Different Story A recent EvilTokens attack shows how a phishing link can appear harmless during initial inspection while still leading to Microsoft 365 account takeover. The kit uses Microsoft Device Code Phishing to convince victims to complete a legitimate Microsoft login flow and unknowingly authorize access to their accounts. It does not need to steal the password directly. The real attack remains hidden until the page opens in the browser. Its HTML is encrypted with AES-GCM and becomes visible only after the browser decrypts it and renders the phishing content in the DOM. As a result, static URL checks and network-level controls may capture the initial response without seeing what the employee actually sees. This visibility gap can lead to: Longer exposure to the Microsoft 365 account takeover Delayed containment and response decisions Unauthorized access to corporate email, files, and cloud services More uncertain alerts escalated to senior analysts Higher investigation workload and operational costs Incomplete evidence for blocking related infrastructure The complete attack flow, however, was uncovered inside ANY.RUN’s Interactive Sandbox. Explore the analysis session to see what the browser revealed and how teams can use this evidence to respond faster. Check recent EvilTokens attack and get relevant IOCs Complicated ghost phishing revealed inside ANY.RUN’s sandbox Where Ghost Phishing Is Hitting Hardest ANY.RUN’s Threat Intelligence shows recent EvilTokens activity concentrated across the US and Europe, targeting technology, manufacturing, education, banking, consulting, financial services, and managed security providers. ANY.RUN’s TI shows threat activity targeting specific regions The overlap is hard to ignore. Based on ANY.RUN’s sandbox submissions data from 15,000 organizations, phishing exposure in 2026 reached 75.6% in consulting, 72.8% in financial services, 71.9% in manufacturing, 67.9% in technology, 66.7% in banking, and 66.1% among MSSPs. This makes hidden phishing especially dangerous for these sectors. One compromised Microsoft 365 account can expose sensitive data, enable business email compromise and fraud, and trigger costly incident response. The longer the attack stays hidden, the greater the chance that one account becomes a wider business incident. Stop hidden phishing before it costs your business. Reduce exposure, incident costs, and account takeover risk. Close Visibility Gap Make the Ghost Visible Before the Business Pays the Price The most effective way to expose ghost phishing is to open suspicious links in a sandbox that supports in-browser data inspection. Inside ANY.RUN’s Interactive Sandbox, analysts move beyond the encrypted AES-GCM response and see what happens after the page decrypts. They can watch the phishing content appear in the DOM, connect the change to a Fetch\u002FXHR request, and trace the Microsoft device code back to the \u002Fapi\u002Fdevice\u002Fstart endpoint. The decrypted HTML DOM viewed in the in-browser data investigation panel The in-browser data view brings the full attack flow into one investigation: DOM snapshots show when the hidden page changes and the user code appears. HTTP requests reveal the backend communication behind the device-code flow. URL details expose the final destination and triggered detection signatures. Indicators provide domains, endpoints, hashes, and infrastructure for further hunting. Instead of reconstructing the attack manually, teams get direct evidence of how the page behaves, what it requests, and which artifacts support containment and detection. DOM snapshots displaying the decrypted code From Browser-Level Evidence to a Clearer SOC Handoff To carry this evidence from Tier 1 to Tier 2, the investigation automatically generates a report with an AI summary and recommended next steps. Auto-generated report from EvilTokens analysis session Instead of rebuilding the case from raw browser data, senior analysts receive the key findings, observed behavior, indicators, and response context in one place. This makes handoffs faster, reduces repeated work, and helps teams move from validation to containment with less delay. Stop Ghost Phishing in the Browser Before It Reaches the Business The EvilTokens case exposes an uncomfortable truth: an email can pass inspection while the real attack waits inside the browser. Without browser-level visibility, the SOC is forced to make high-stakes decisions with partial evidence. That delay gives attackers more time to gain access, expand their reach, and turn one compromised Microsoft 365 account into a costly business incident. This helps security leaders: Shrink the exposure window before a compromised account becomes a wider incident Reduce pressure on senior analysts by giving Tier 1 enough evidence to resolve more cases Accelerate containment with complete attack context available from the first escalation Improve detection coverage using browser behavior, infrastructure, and repeatable attack patterns Lower the cost of phishing response by cutting manual investigation and duplicated work Make risk decisions with evidence instead of relying on clean scans or inconclusive verdicts Modern phishing no longer reveals itself fully in the email or initial URL response. Security teams need visibility that follows the attack into the browser and exposes it before the business pays the price. Reduce business exposure: Give analysts full browser evidence to contain ghost phishing faster and stop one compromised account from escalating into a costly incident. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  account takeover, browser security, Cloud security, Cyber Attack, email security, Incident response, Microsoft Security, Phishing, SOC, Threat Intelligence ⚡ Top Stories This Week ThreatsDay: AI Compute Hijacking, Apple Email Flaw, BlueHammer Ransomware + 14 Stories Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs New Linux pedit COW Exploit Enables Root Access by Poisoning Cached Binaries OpenAI Previews GPT-5.6 Sol With Restricted Access and Stronger Cyber Safeguards FBI Warns Russian Intelligence Hackers Target Signal Backup Recovery Keys Public PoC Released for Critical libssh2 CVE-2026-55200 Client-Side SSH Flaw Microsoft Removes 119 Edge Extensions That Hid Malware in Images and Fonts ⚡ Weekly Recap: Linux Kernel Flaws, AI Malware Tricks, Turla Backdoor, Infostealers and More Mustang Panda Uses Zoho WorkDrive as Command Channel in Indian Government Attacks WhatsApp is Finally Getting Usernames to Help Keep Phone Numbers Private Oracle E-Business Suite Flaw CVE-2026-46817 Actively Exploited in the Wild New BioShocking Attack Tricks AI Browsers Into Leaking User Credentials AirDrop and Quick Share Flaws Let Nearby Attackers Trigger Crashes and Bypass Checks 282 iOS AI Apps Leak API Keys and Open AI Proxy Access in Network Traffic Study GuardFall Exposes Open-Source AI Coding Agents to Decades-Old Shell Injection Risks Microsoft Warns Poisoned MCP Tool Descriptions Can Make AI Agents Leak Data RustDuck Botnet Rebuilds in Rust to Hijac","https:\u002F\u002Fthehackernews.com\u002F2026\u002F07\u002Fnew-ghost-phishing-wave-is-breaking.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEgl6gaxMQBH0Bjb1ZhuaOiM5gKEk-zuSf821eRfV33ogx6YWwENunjyOPF8VXHtgtHgIevENLfBV2O04QI4TtjtDe2PGGevWptQEEagmp6q-G4FqOankGokz70XzVtz7dmNbEZ5G7-pV0yINgd2-ima7ap8xeOxuhZBKw2WPoUo81wKmGrwsPxbzYkW5Wk\u002Fs1600\u002Fanyrun-main.jpg","2026-07-08T13:00:00+00:00","2026-07-08T16:00:10.707844+00:00",8,[18,21,24],{"name":19,"type":20},"EvilTokens","threat_actor",{"name":22,"type":23},"Microsoft 365","product",{"name":25,"type":26},"Microsoft Device Code Phishing","technology","e7b231c8-5f79-4465-8d38-1ef13aea5a14",{"id":27,"icon":29,"name":30,"slug":31},null,"Threat Intelligence","threat-intelligence",[33,38,43,48],{"category":34},{"id":35,"icon":29,"name":36,"slug":37},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":39},{"id":40,"icon":29,"name":41,"slug":42},"2c8f44d4-b56e-47cf-9677-04f22c9ee78d","Identity & Access","identity-access",{"category":44},{"id":45,"icon":29,"name":46,"slug":47},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":49},{"id":27,"icon":29,"name":30,"slug":31},[51],{"type":47,"value":19,"context":52},"Threat actor\u002Fcampaign name associated with ghost phishing"]