← All stories
● Covered by 1 source Β· 1 reportHigh impact

New Ghost Phishing Technique Targets Microsoft 365 Users

Aggregated by BrevFeed security Β· updated 2h ago
πŸ”– Save

The EvilTokens campaign is exploiting a new phishing method that leaves malicious pages hidden until they are activated in the browser. This bypasses traditional URL checks, increasing the risk of unauthorized access to Microsoft 365 accounts and sensitive data.

Key points

Overview of the Ghost Phishing Attack

The recent EvilTokens campaign has introduced a new phishing technique known as 'ghost phishing'. This method allows malicious web pages to remain hidden until they are activated in the victim's browser, thereby evading traditional email security checks.

In this approach, attackers leverage Microsoft Device Code Phishing, convincing users to complete a legitimate Microsoft login flow, which allows them to authorize access to their Microsoft 365 accounts without directly stealing passwords.

How the Attack Works

The malicious page's HTML is encrypted using AES-GCM, remaining unseen until decrypted by the browser. This means that initial security checks may fail to recognize the ongoing threat once the page is rendered in the victim's browser.

Consequently, organizations may experience delayed detection and response times, leaving Microsoft 365 accounts vulnerable for longer periods. This gap in visibility complicates incident response efforts and can lead to unauthorized access to important company data.

Impact on Security Operations

The introduction of ghost phishing has serious implications for security teams. The visibility gap can result in increased workloads, escalated alerts, and a higher operational cost due to longer investigation times and the potential for data breaches.

Reports from ANY.RUN indicate that sectors such as technology, banking, and education are particularly susceptible, with phishing exposure rates as high as 75.6% in consulting and over 66% in financial services and technology.

Conclusions and Recommendations

Organizations need to enhance their email security measures to combat new tactics like ghost phishing. This includes investing in technologies that allow for deeper inspection of content once it is rendered in browsers.

Security teams should consider adopting tools that utilize sandbox environments for analyzing suspicious links to better prepare for and respond to these kinds of phishing attacks.

✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β€” check the original sources. How BrevFeed works β†’

Primary sources

CVE CVE-2026-552008.1 HIGH CVE CVE-2026-468179.8 CRITICAL

Reporting from

The EvilTokens campaign is exploiting a new phishing method that leaves malicious pages hidden until they are activated in the browser. This bypasses traditional URL checks, increasing the risk of unauthorized access to Microsoft 365 accounts and sensitive data.