Ghost Phishing Tactics Evade Traditional Email Security Measures

A recent wave of sophisticated phishing attacks, known as ‘ghost phishing,’ is challenging traditional email security protocols by concealing malicious content until it is decrypted within the victim’s browser. This method has been prominently utilized in the EvilTokens campaign, which has targeted businesses across the United States and Europe.

In these attacks, cybercriminals employ Microsoft Device Code Phishing techniques to deceive users into completing legitimate Microsoft login processes. Unbeknownst to the victims, this grants unauthorized access to their Microsoft 365 accounts. The phishing links appear benign during initial inspections, as the malicious content remains encrypted and only becomes active when decrypted by the browser.

The encryption of the phishing page’s HTML using AES-GCM ensures that static URL checks and network-level controls may not detect the threat. Consequently, organizations face prolonged exposure to potential account takeovers, delayed incident response, unauthorized access to sensitive data, increased workload for security analysts, and challenges in blocking related malicious infrastructure.

ANY.RUN’s Threat Intelligence indicates that the EvilTokens campaign has predominantly targeted sectors such as technology, manufacturing, education, banking, consulting, financial services, and managed security providers in the U.S. and Europe. Data from 15,000 organizations reveals significant phishing exposure in 2026, with consulting at 75.6%, financial services at 72.8%, manufacturing at 71.9%, technology at 67.9%, banking at 66.7%, and managed security service providers at 66.1%.

To effectively combat ghost phishing, security teams are advised to utilize interactive sandbox environments capable of inspecting in-browser data. Tools like ANY.RUN’s Interactive Sandbox allow analysts to observe the decryption process, monitor the appearance of phishing content in the Document Object Model (DOM), and trace malicious activities back to their origins. This approach enhances the detection and mitigation of such sophisticated phishing attempts.

The emergence of ghost phishing underscores the need for organizations to adopt advanced security measures that go beyond traditional email filtering. By leveraging interactive analysis tools and fostering a culture of cybersecurity awareness, businesses can better protect themselves against these evolving threats.