Full Report
A recent EvilTokens campaign targeting businesses across the US and Europe is exposing a new email security blind spot. This “ghost phishing” technique keeps the malicious page hidden until it decrypts and comes to life inside the victim’s browser. For security leaders, the risk is clear: traditional URL checks may miss the attack while Microsoft 365 access, sensitive data, and response time
Analysis Summary
# Tool/Technique: Ghost Phishing (EvilTokens Campaign)
## Overview
Ghost Phishing is a sophisticated obfuscation technique used to bypass traditional email security gateways and automated URL scanners. In the context of the **EvilTokens** campaign, the malicious content remains encrypted and "invisible" during transit. The phishing page only decrypts and renders its malicious interface once it is loaded within a victim's live browser session, effectively hiding the true nature of the URL from static analysis tools.
## Technical Details
- **Type**: Phishing Technique / Phishing Kit (EvilTokens)
- **Platform**: Cross-platform (Web-based), specifically targeting Microsoft 365 users.
- **Capabilities**: Client-side decryption (AES-GCM), Microsoft Device Code phishing, evasion of static security scanners.
- **First Seen**: July 2026 (Campaign detailed in current reporting).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- **T1566.002 - Phishing: Spearphishing Link**
- **TA0006 - Credential Access**
- **T1528 - Steal Application Access Token**
- **T1647 - Multi-Factor Authentication Redirection** (Device Code Flow)
- **TA0005 - Defense Evasion**
- **T1132.001 - Data Encoding: Standard Encoding** (AES-GCM used for content obfuscation)
- **T1564 - Hide Artifacts** (Ghost Phishing)
## Functionality
### Core Capabilities
- **AES-GCM Encryption**: The HTML content of the phishing page is encrypted using AES-GCM. Security crawlers see only a generic script or encrypted blob, while the browser decrypts it into a functional phishing page.
- **Microsoft Device Code Flow Exploitation**: Unlike traditional phishing that steals passwords, this technique abuses the legitimate `/api/device/start` endpoint. It generates a "Device Code" which the user is prompted to enter into a legitimate Microsoft portal, thereby granting the attacker an OAuth token.
- **Dynamic DOM Rendering**: The malicious elements (forms, logos, and instructions) are injected into the Document Object Model (DOM) only after successful client-side decryption.
### Advanced Features
- **Security Scanner Evasion**: By delaying the display of malicious content until user interaction or browser execution, the tool bypasses "Time of Click" protection and static reputation checks.
- **Bypassing MFA**: Because the attack uses the legitimate Microsoft Device Code flow, it can effectively bypass many MFA configurations by having the user authorize the attacker's "device" via their own authenticated session.
## Indicators of Compromise
- **File Hashes**: (Specific hashes not listed in the article; analysis typically occurs within memory/browser DOM).
- **Network Indicators**:
- `microsoft[.]com/devicelogin` (Abused legitimate endpoint)
- `*/api/device/start` (Traffic associated with device code generation)
- [Note: Specific malicious C2/Hosting domains for the EvilTokens kit vary by campaign but are associated with decrypted Fetch/XHR requests.]
- **Behavioral Indicators**:
- High volume of AES-GCM decryption routines in the browser.
- Unexpected XHR/Fetch requests to Microsoft API endpoints immediately following the loading of a third-party URL.
## Associated Threat Actors
- **EvilTokens Campaign Operators**: Current targeting is focused on sectors including Technology, Manufacturing, Banking, and MSSPs across the US and Europe.
## Detection Methods
- **Behavioral Detection**: Monitoring for the specific "Device Code" flow sequence originating from unverified third-party referrers.
- **Interactive Sandboxing**: Using tools like ANY.RUN to perform in-browser inspection, allowing analysts to view the decrypted DOM snapshots and HTTP requests that occur after execution.
- **Heuristic Scanning**: Detecting scripts that contain large encrypted blobs (AES-GCM) paired with decryption logic designed to execute on page load.
## Mitigation Strategies
- **User Training**: Educate staff specifically on the **Microsoft Device Code flow**. Users should never enter a code into a Microsoft portal that they did not personally initiate.
- **Conditional Access Policies**: Implement strict policies in Microsoft 365 to restrict Device Code Flow authentication or limit it to known-managed devices.
- **Phishing-Resistant MFA**: Transition to FIDO2-based hardware keys to mitigate token theft and session hijacking.
- **Advanced Threat Protection (ATP)**: Use email security solutions that utilize dynamic "browser-level" isolation or sandboxing to inspect the final rendered state of a page.
## Related Tools/Techniques
- **Adversary-in-the-Middle (AiTM)**: Similar in goal (token theft) but uses a proxy rather than device code abuse.
- **Evilginx2 / Muraena**: Tools used for bypassing MFA through session cookie theft.
- **HTML Smuggling**: A related technique used to deliver malicious payloads hidden within HTML blobs.