New Ghost Phishing Wave Is Breaking Traditional Email Security
A new "ghost phishing" campaign named EvilTokens bypasses traditional email security by encrypting malicious HTML with AES-GCM, rendering the attack invisible until it decrypts within the victim's browser DOM. The technique leverages Microsoft Device Code Phishing to trick users into authorizing access via legitimate login flows, enabling account takeover without stealing passwords directly. Static URL checks and network-level controls fail to detect this threat because they only see the encrypt
Analysis
TL;DR
- A new "ghost phishing" campaign named EvilTokens bypasses traditional email security by encrypting malicious HTML with AES-GCM, rendering the attack invisible until it decrypts within the victim's browser DOM.
- The technique leverages Microsoft Device Code Phishing to trick users into authorizing access via legitimate login flows, enabling account takeover without stealing passwords directly.
- Static URL checks and network-level controls fail to detect this threat because they only see the encrypted payload, creating a critical visibility gap for Security Operations Centers (SOCs).
- High-risk sectors including consulting (75.6%), financial services (72.8%), and manufacturing (71.9%) are disproportionately targeted, leading to increased exposure to Business Email Compromise (BEC) and data theft.
- Effective mitigation requires interactive sandboxing with in-browser data inspection to observe DOM changes and HTTP requests, allowing analysts to uncover hidden payloads and accelerate containment.
Why It Matters
This development highlights a significant evolution in phishing tactics where the attack surface shifts from the email client to the browser environment, rendering many existing perimeter defenses obsolete. For AI and security practitioners, it underscores the necessity of integrating dynamic, behavioral analysis tools that can inspect rendered web pages rather than relying solely on static signature or URL reputation checks. Addressing this blind spot is crucial for reducing mean time to detect (MTTD) and mean time to respond (MTTR) in high-value enterprise environments.
Technical Details
- Encryption Mechanism: The malicious landing page delivers HTML encrypted with AES-GCM, which remains inert during initial transmission and static analysis but decrypts and executes upon rendering in the browser.
- Authentication Bypass: Utilizes Microsoft Device Code Phishing, guiding victims through a standard Microsoft login interface to authorize OAuth tokens, thereby gaining persistent access to Microsoft 365 accounts without credential theft.
- Detection Evasion: By hiding the payload until the DOM is populated, the attack evades network proxies, email gateways, and static URL scanners that do not execute JavaScript or render HTML.
- Investigation Methodology: Detection relies on interactive sandbox environments (e.g., ANY.RUN) that monitor Fetch/XHR requests, track DOM snapshots for sudden content injection, and trace API calls to endpoints like
/api/device/start. - Data Exposure: Successful attacks lead to unauthorized access to corporate email, files, and cloud services, with significant prevalence reported in consulting, finance, and manufacturing sectors.
Industry Insight
Security teams must prioritize browser-based telemetry and dynamic analysis capabilities over static URL filtering to close the visibility gap created by encrypted or obfuscated web payloads. Implementing automated sandboxing workflows that generate AI-assisted summaries and actionable IOCs can significantly reduce the workload on Tier 2 analysts and accelerate incident containment. Organizations should also enforce strict monitoring of OAuth application permissions and device code flows to detect anomalous authorization patterns indicative of device code phishing.
Disclaimer: The above content is generated by AI and is for reference only.