VYPR
researchPublished Jul 8, 2026· 1 source

New 'Ghost Phishing' Wave Exploits Browser Decryption to Evade Email Security

A novel 'ghost phishing' campaign by EvilTokens uses browser-side decryption to hide malicious content, bypassing traditional email security checks and targeting Microsoft 365 accounts.

A sophisticated new phishing campaign, dubbed "ghost phishing" by researchers, is exploiting a critical blind spot in traditional email security defenses. The EvilTokens campaign, observed targeting businesses across the United States and Europe, employs a technique that keeps malicious content hidden until it is decrypted and rendered within the victim's web browser. This advanced method circumvents standard URL filtering and network-level security controls, posing a significant threat to sensitive data and access to cloud services like Microsoft 365.

The core of the attack lies in its ability to present a seemingly benign link during initial inspection, only to reveal its true malicious nature once opened in a browser. The campaign leverages Microsoft Device Code Phishing, a method that tricks victims into authorizing access to their accounts through a legitimate-looking Microsoft login flow, without necessarily stealing their passwords directly. The HTML content of the phishing page is encrypted using AES-GCM, ensuring it remains invisible to static analysis tools until the browser performs the decryption and populates the Document Object Model (DOM) with the phishing elements.

This 'visibility gap' between what security tools detect and what the end-user experiences in their browser creates a dangerous window of exposure. Security leaders face challenges in timely containment and response, as alerts may be uncertain, investigation workloads increase, and evidence for blocking related infrastructure can be incomplete. The attack flow, analyzed in detail within ANY.RUN's Interactive Sandbox, highlights how the browser's decryption process is the key enabler for this stealthy technique.

ANY.RUN's Threat Intelligence data indicates a concentration of EvilTokens activity in the US and Europe, with specific sectors like technology, manufacturing, education, banking, consulting, financial services, and managed security providers being prime targets. This focus is particularly concerning given the high rates of phishing exposure already reported in these industries, where a single compromised Microsoft 365 account can lead to extensive data breaches, business email compromise, and costly incident response efforts.

The effectiveness of ghost phishing underscores the limitations of relying solely on pre-browser security checks. To combat this evolving threat, security teams need visibility that extends into the browser's execution environment. Tools that can analyze in-browser data, such as DOM snapshots and network requests, are crucial for uncovering the full attack chain. By examining the decrypted HTML and tracing the device code authorization flow, security analysts can gather comprehensive evidence.

This browser-level evidence is vital for streamlining Security Operations Center (SOC) workflows. When an investigation automatically generates reports with AI summaries and recommended actions, it facilitates faster handoffs between Tier 1 and Tier 2 analysts. This reduces redundant work, accelerates containment, and allows teams to move from validation to remediation more efficiently, armed with complete attack context.

Ultimately, the rise of ghost phishing signifies a shift in attack methodologies, where the true payload is concealed until the final stage of execution within the user's browser. Organizations must adapt their security strategies to include solutions that provide deep in-browser visibility. By making these hidden attacks visible before they can inflict damage, security leaders can shrink exposure windows, reduce incident costs, and better protect their critical assets and user accounts from sophisticated account takeover schemes.

Synthesized by Vypr AI