Researchers warn a new Ghost Phishing campaign uses encrypted pages and Microsoft device code phishing to evade email security.
Cybercriminals are constantly looking for new ways to slip past email security, and a recently uncovered campaign known as Ghost Phishing shows just how quickly those tactics are evolving.
Instead of relying on fake login pages that steal usernames and passwords, the campaign abuses Microsoft’s device code authentication flow. Victims are directed to Microsoft‘s legitimate sign-in page, where they enter a device code and approve a login request. The attackers never need to see the victim’s password instead, they obtain a valid authorization token that can provide access to Microsoft 365 services such as Outlook, OneDrive, Teams and SharePoint.
The campaign has been linked to the EvilTokens phishing kit, which is being used to target organizations across the United States and Europe.
What makes Ghost Phishing particularly difficult to detect is the way the phishing page is delivered. Rather than sending a traditional phishing website, the malicious page remains encrypted using AES-GCM while it’s being inspected by email gateways and URL security tools. The page is only decrypted after JavaScript runs inside the victim’s browser, meaning many security products that rely on static, pre-delivery analysis never get to see the actual phishing content.
That approach creates a significant blind spot for defenders. By the time the browser renders the real page, the victim may already be completing Microsoft’s legitimate device authorization process, allowing attackers to capture an authorization token and gain access to cloud services without ever stealing a password.
According to threat intelligence shared by ANY.RUN, recent EvilTokens activity has been observed across a wide range of industries, including financial services, technology companies, manufacturers, educational institutions, consulting firms, banks and managed security service providers.
The campaign is another example of how phishing attacks are changing. Instead of building convincing fake login pages, attackers are increasingly abusing legitimate authentication features that users already trust. Combined with encrypted web content that hides malicious pages from traditional inspection tools, these attacks can be much harder to spot than conventional phishing emails.
Researchers say organizations should look beyond static email and URL scanning when inspecting suspicious links. Using browser-based analysis environments that fully render web pages and execute JavaScript makes it far more likely that encrypted phishing content will be exposed before users interact with it.
While no single defense will stop every attack, Ghost Phishing highlights a growing challenge for security teams. As attackers continue to combine legitimate authentication workflows with increasingly sophisticated evasion techniques, detecting phishing campaigns is becoming less about spotting fake websites and more about understanding how trusted services can be abused.
Related articles :
__Reports are sourced from official documents, law-enforcement updates, and credible investigations.
Discover additional reports, market trends, crime analysis and Harm Reduction articles on DarkDotWeb to stay informed about the latest dark web operations.__