EvilTokens Phishing Kit Bypasses Static Analysis by Encrypting Attack Flow in the Browser
EvilTokens, a device-code phishing kit, evades static URL analysis by delivering an AES-GCM encrypted payload that only renders after browser-side JavaScript decryption, hiding the Microsoft-branded authentication page from traditional scanners.
A new phishing kit dubbed EvilTokens is gaining attention for its ability to hide malicious content from static URL analysis by encrypting the attack flow and only rendering it after browser-side JavaScript decryption. According to an analysis conducted by ANY.RUN, the phishing kit targets Microsoft Device Code authentication, delivering an AES-GCM encrypted payload in the initial HTML response that remains invisible until execution. This technique creates a significant visibility gap for security teams relying on traditional URL scanning tools, as the Microsoft-branded authentication page, device code, and victim instructions only appear in the DOM after decryption.
Device-code phishing campaigns powered by EvilTokens have already been linked to compromises across multiple organizations, highlighting the operational danger beyond just the phishing kit itself. The encrypted payload approach means analysts reviewing a suspicious URL may find little evidence of malicious activity in the initial page source, network requests, or reputation data, while the actual phishing workflow remains hidden until browser execution. This gap can lead to slower triage, delayed confirmation of account takeover risk, and missed indicators of compromise (IOCs) that could support hunting and detection.
The technical mechanism relies on AES-GCM encryption of the phishing page content, which is delivered as part of the initial server response. Only after browser-side JavaScript executes does the payload decrypt and inject the phishing content directly into the DOM. ANY.RUN's sandbox analysis revealed that the DOM timeline shows when the encrypted payload is decrypted and the phishing content appears, exposing the device code and other artifacts that were not visible in the initial response. Additionally, HTTP requests to /api/device/start and /api/device/status/<sessionId> help confirm how the device-code phishing workflow operates.
The impact of this visibility gap extends across the entire investigation lifecycle. Analysts may experience slower phishing triage because the real page is not visible at first glance, leading to delayed confirmation of account takeover risk and more manual work to reconstruct the attack flow. Unclear evidence makes escalation to Tier 2 or incident response teams more difficult, and missed IOCs reduce opportunities for proactive threat hunting and detection rule creation. The longer time between first alert and response action increases the window for successful credential theft.
To close this gap, ANY.RUN's sandbox provides browser-level visibility through its Browser Data tab, which consolidates evidence including HTML DOM changes, URL details, SSL certificates, DNS records, and HTTP requests into a single interface. In the analyzed EvilTokens session, analysts can see when the encrypted payload is decrypted and the phishing content appears on the page, revealing the device code and other artifacts not visible in the initial response. The URL Details view aggregates final URL, domain information, SSL certificate, DNS records, request statistics, and triggered signatures, allowing infrastructure assessment without switching between separate tools.
Once the phishing flow is confirmed, analysts can pivot into ANY.RUN Threat Intelligence to understand whether the activity is part of a broader campaign. The URL Details view in this session shows a triggered Microsoft OAuth device-code phishing signature based on code found in the DOM. Analysts can use this signature to search for other phishing resources with similar code patterns, including campaigns beyond EvilTokens. Threat intelligence also helps review related EvilTokens activity by threat name and geography, with this campaign appearing mainly tied to the U.S. and Europe.
The EvilTokens campaign underscores a broader trend in phishing: kits are increasingly relying on dynamic browser behavior to evade detection. Traditional static URL analysis, which examines server responses without executing JavaScript, is no longer sufficient to confirm malicious activity or extract full evidence. Without browser-level visibility, critical artifacts such as encrypted payloads, DOM injections, and device-code endpoints remain hidden, slowing triage and allowing phishing campaigns to succeed. As attackers continue to adopt client-side encryption and dynamic delivery techniques, security teams must evolve their detection strategies to include browser-level analysis, enabling faster identification of hidden attack chains and reducing the window for credential theft.