What happened
Researchers have uncovered a new phishing campaign using the EvilTokens phishing kit that employs a technique known as “ghost phishing” to bypass traditional email security controls. The campaign primarily targets organizations across the United States and Europe and focuses on compromising Microsoft 365 accounts through Microsoft’s legitimate Device Code Authentication process.
Unlike conventional phishing attacks that steal usernames and passwords, this campaign tricks users into authorizing attacker access through a valid Microsoft login flow. Victims are prompted to enter a legitimate device code, unknowingly granting attackers access to their Microsoft 365 accounts without revealing their credentials.
What makes the campaign particularly dangerous is its use of encrypted phishing pages. The malicious HTML content is protected using AES-GCM encryption, remaining hidden during initial URL and network inspections. The phishing page only becomes visible after it is decrypted and rendered inside the victim’s browser, creating a significant visibility gap for many security tools.
Researchers from ANY.RUN demonstrated that traditional static URL analysis may identify the link as harmless because it cannot observe the malicious content after browser-side decryption.
Who is affected
Threat intelligence indicates the campaign is primarily targeting organizations in the United States and Europe across multiple industries. Sectors seeing the highest levels of phishing activity include consulting, financial services, manufacturing, technology, banking, education, managed security service providers (MSSPs), and other enterprise organizations.
Because the attack targets Microsoft 365 accounts, a successful compromise can provide attackers with access to corporate email, cloud storage, documents, collaboration platforms, and sensitive business communications. This can also increase the risk of business email compromise (BEC), data theft, and lateral movement within an organization.
Why CISOs should care
Ghost phishing highlights a growing limitation in traditional phishing defenses. Security gateways and URL scanners may inspect the initial webpage but fail to detect malicious content that only appears after browser-side decryption.
This delay can slow incident response, increase investigation workloads, and allow attackers additional time to establish persistence inside compromised Microsoft 365 environments. As phishing techniques continue to evolve, security teams need visibility beyond email filtering and network traffic to understand how web content behaves once it reaches an employee’s browser.
Browser-level analysis and interactive sandboxing can provide analysts with a clearer view of phishing behavior, helping security teams identify malicious infrastructure, collect indicators of compromise, and accelerate containment before an isolated phishing attempt becomes a broader security incident.
3 practical actions
- Deploy browser-aware analysis or sandboxing solutions capable of observing phishing pages after browser rendering and decryption.
- Strengthen Microsoft 365 security with phishing-resistant authentication methods such as FIDO2 security keys and Conditional Access policies while monitoring for suspicious Device Code Authentication requests.
- Train employees to recognize device code phishing techniques and establish rapid reporting procedures for unexpected Microsoft authentication prompts.

