A new EvilTokens ghost phishing campaign uses client side AES GCM encryption to hide malicious content from email scanners while silently stealing Microsoft 365 OAuth tokens through device code flow abuse targeting consulting financial and manufacturing sectors worldwide
A new phishing campaign named EvilTokens currently running across the United States and Europe has introduced a technique researchers now call ghost phishing. It uses client side AES GCM encryption to hide its malicious payload from every automated email security scanner so that the threat only becomes visible after a real human opens the link in a live browser. Security researchers at ANY.RUN documented this pattern after analyzing sandbox submissions from fifteen thousand organizations and confirmed that conventional email gateways consistently fail to detect it.
The campaign combines this encryption evasion layer with Microsoft OAuth 2.0 Device Code Flow abuse allowing attackers to steal live access tokens and refresh tokens without ever needing the victim’s password or defeating multi factor authentication in any conventional sense. Once a victim enters the device code on the legitimate Microsoft verification page the attacker’s server silently receives a fully authorized session token and gains complete access to Microsoft 365 email OneDrive and Teams.
Sector exposure data from ANY.RUN shows phishing exposure in 2026 reaching 75.6 percent in consulting 72.8 percent in financial services 71.9 percent in manufacturing and 66.7 percent in banking making this campaign a direct threat to the organizations that hold the most sensitive financial and client data across modern enterprise environments.
What Happened
Between early July 2026 security researchers at ANY.RUN published findings documenting a new and active phishing wave targeting businesses across the United States and Europe under the campaign name EvilTokens. Unlike conventional phishing attacks that embed visible malicious content inside HTML files or redirect victims through suspicious looking domains this campaign encrypts its entire payload using AES GCM encryption before delivery.
The outer email and link contain nothing that automated security tools can flag as dangerous. The malicious content only exists inside an encrypted blob that only decrypts after a live human opens it inside a real browser session triggering a JavaScript decryption routine client side.
The campaign targets Microsoft 365 accounts specifically and uses two overlapping techniques. The first involves fake Microsoft 365 login overlays rendered after decryption. The second and more technically significant involves Microsoft OAuth 2.0 Device Code Flow abuse through tooling researchers linked to the wider EvilTokens infrastructure and adjacent platforms including Kali365 which the FBI flagged in May 2026 public service announcement I-052126 as actively hijacking Microsoft 365 accounts across hundreds of organizations.
Technical Details
The ghost phishing technique works because email security tools typically analyze link destinations by fetching the page source and scanning its content at the network layer. The EvilTokens campaign page source contains only an encrypted AES GCM blob with no visible malicious JavaScript no suspicious redirects and no content that signature based or reputation based tools can classify as harmful. The decryption key and routine exist inside the page itself and only execute when a real browser loads and runs the JavaScript in a live interactive session.
After decryption runs the page renders a Microsoft 365 login interface or a device code authentication prompt. The device code flow component represents the most technically precise element of the operation. The attacker requests a fresh device code from Microsoft legitimate authentication endpoint. Microsoft returns a user code and verification URI.
The attacker embeds that code into the phishing lure and directs the victim to the real Microsoft devicelogin page. The victim enters the code and completes their own MFA challenge on the legitimate Microsoft URL. The moment that authentication succeeds the attacker’s polling loop receives a complete token set including access token and refresh token granting full account access.
The stolen refresh token persists independently of the victim’s password. Resetting the account password after discovering a compromise does nothing to invalidate an already issued refresh token. The attacker retains full access until an administrator explicitly revokes all active sessions and tokens through the Microsoft Entra ID portal. In documented cases attackers registered new MFA devices within ten minutes of initial compromise to generate a Primary Refresh Token ensuring persistent long term access even after the original stolen token would eventually expire.
Post compromise activity followed a deliberate pattern. Attackers created malicious inbox rules to hide replies to external messages they sent using the victim’s account and in some cases waited several hours before beginning data exfiltration specifically to avoid triggering anomaly alerts tied to immediate post login activity spikes.
Who Is Affected
ANY.RUN sandbox data from fifteen thousand organizations confirms the following 2026 sector exposure rates for ghost phishing style attacks.
Consulting sector faces 75.6 percent exposure. Financial services faces 72.8 percent. Manufacturing faces 71.9 percent. Technology sector faces 67.9 percent. Banking faces 66.7 percent. Managed security service providers face 66.1 percent exposure.
Any organization running Microsoft 365 across these sectors without phishing resistant authentication controls and without device code flow restrictions through Conditional Access policy faces direct exposure to this campaign. C suite executives senior finance personnel and account managers at consulting firms represent the highest value targets because their accounts typically connect to client financial systems merger documentation and payment workflows.
Microsoft’s broader Q1 2026 email threat analysis detected 8.3 billion email based phishing threats between January and March with QR code phishing volumes jumping from 7.6 million in January to 18.7 million in March confirming that the threat landscape surrounding Microsoft 365 accounts accelerated sharply throughout the first half of 2026.
How the Attack Works
Step one involves the victim receiving a legitimate looking phishing email using business contract invoice or document sharing themes with a link that passes every automated email security check because the destination page contains only encrypted content at the network analysis layer.
Step two involves the victim opening the link in a real browser where the JavaScript decryption routine fires client side and renders either a fake Microsoft 365 login overlay or a device code prompt with instructions directing the victim to the real Microsoft verification page.
Step three involves the victim entering the attacker supplied device code at the legitimate microsoft.com/devicelogin URL and completing their own MFA challenge believing the request originated from a device they initiated.
Step four involves the attacker’s server detecting the successful authentication through its polling loop and receiving the full access token and refresh token set while the victim gets redirected to a harmless looking placeholder page showing a document or confirmation screen.
Step five involves the attacker using the stolen tokens to access the victim’s Microsoft 365 account including Outlook inbox OneDrive files Teams conversations and any connected enterprise applications while the victim remains completely unaware the session was ever compromised.
Why This Matters
Ghost phishing with client side decryption represents a fundamental shift in how phishing evades detection. Every previous generation of email security improvement from URL reputation checking to HTML analysis to sandbox detonation worked by analyzing what a link or attachment contains at the point of delivery. Ghost phishing moves the malicious content past all those inspection points by ensuring that content simply does not exist in any scannable form until a human user triggers it in a live browser.
The combination of this evasion technique with device code flow abuse creates a compounded defense failure. MFA protects the authentication moment not the authenticated session. Once a token gets issued to the attacker’s polling client that token carries the same trust level as any legitimately issued session. Standard incident response advice around resetting compromised passwords offers no protection here because the attacker never needed the password and resetting it leaves the active stolen session completely intact.
The industrialization of this attack class makes the threat worse. Kali365 sells device code phishing as a service starting at 250 dollars per month. Access to similar tooling starts at 120 dollars. These platforms support multiple languages offer AI generated lures and include real time tracking dashboards meaning the skill barrier to running a sophisticated Microsoft 365 token theft campaign effectively reached zero by mid 2026.
Mitigation and Recommendations
Disable device code flow through Conditional Access. Organizations should audit whether any legitimate business workflow actually requires device code authentication and block this flow for all users and service principals that have no genuine operational need for it. This single control removes the primary exploitation path EvilTokens depends on.
Enforce phishing resistant MFA. FIDO2 hardware security keys and Microsoft Authenticator with passkey support bind authentication to specific devices in ways that device code flow abuse cannot replicate. Avoid SMS and telephony based MFA for any high value accounts.
Revoke sessions and tokens immediately after suspected compromise. Resetting a password after a device code phishing attack does nothing. Administrators must explicitly revoke all active sessions and refresh tokens through Microsoft Entra ID and then force a full reauthentication from every device before restoring normal access.
Monitor for DeviceCodeSignIn events. Microsoft Entra ID logs these separately from standard interactive sign ins. Any DeviceCodeSignIn completing for an account with no corresponding device enrollment record warrants immediate investigation.
Alert on post compromise indicators. New MFA method registration immediately after a sign in anomaly suspicious inbox rule creation and first time large volume mail behavior from an account all represent high confidence compromise indicators.
Use interactive sandboxes for link analysis. ANY.RUN and similar tools that support full in browser rendering can expose ghost phishing pages by actually decrypting and rendering their content rather than only analyzing static source. This changes detection from impossible to reliable for security operations teams.
Train users on device code context not URL checking. Any device code arriving through an email link rather than directly from a device the user personally initiated a login on should get treated as a confirmed phishing attempt regardless of the legitimacy of the surrounding Microsoft branded page.
Final Thoughts
Ghost phishing resets the baseline assumption that checking a URL or running a link through an email gateway provides meaningful protection against modern credential theft. The EvilTokens campaign built an attack chain where every element a victim sees during the attack belongs to a legitimate trusted service while the stolen artifact travels invisibly to an attacker server through a Microsoft authentication protocol working exactly as designed.
The only durable defense combines phishing resistant authentication at the identity layer with behavioral detection at the session layer and full browser rendering at the email analysis layer. Organizations that still treat multi factor authentication as their final line of identity defense need to reassess that position immediately because the attack campaigns dominating 2026 treat MFA as a step to complete rather than a barrier to overcome.