AI Security AI安全 2d ago Updated 2d ago 更新于 2天前 46

New Ghost Phishing Wave Is Breaking Traditional Email Security 新型幽灵网络钓鱼浪潮正在突破传统电子邮件安全防线

A new "ghost phishing" campaign named EvilTokens bypasses traditional email security by encrypting malicious HTML with AES-GCM, rendering the attack invisible until it decrypts within the victim's browser DOM. The technique leverages Microsoft Device Code Phishing to trick users into authorizing access via legitimate login flows, enabling account takeover without stealing passwords directly. Static URL checks and network-level controls fail to detect this threat because they only see the encrypt EvilTokens活动利用“幽灵钓鱼”技术,通过AES-GCM加密HTML并在浏览器端解密渲染,绕过传统静态URL和网络层检测。 攻击结合Microsoft Device Code Phishing,诱导受害者完成合法登录流程以授权访问账户,无需窃取密码即可接管Microsoft 365。 传统安全控制存在可见性盲区,导致响应延迟、证据不完整及运营成本增加,尤其威胁咨询、金融和制造业等高风险行业。 ANY.RUN交互式沙箱通过DOM快照、HTTP请求追踪和浏览器级数据检查,揭示解密后的恶意行为,提供完整的取证证据。 自动化报告生成与AI摘要功能优化了SOC的工作流,加速从一级到二级分析师的案

70
Hot 热度
65
Quality 质量
60
Impact 影响力

Analysis 深度分析

TL;DR

  • A new "ghost phishing" campaign named EvilTokens bypasses traditional email security by encrypting malicious HTML with AES-GCM, rendering the attack invisible until it decrypts within the victim's browser DOM.
  • The technique leverages Microsoft Device Code Phishing to trick users into authorizing access via legitimate login flows, enabling account takeover without stealing passwords directly.
  • Static URL checks and network-level controls fail to detect this threat because they only see the encrypted payload, creating a critical visibility gap for Security Operations Centers (SOCs).
  • High-risk sectors including consulting (75.6%), financial services (72.8%), and manufacturing (71.9%) are disproportionately targeted, leading to increased exposure to Business Email Compromise (BEC) and data theft.
  • Effective mitigation requires interactive sandboxing with in-browser data inspection to observe DOM changes and HTTP requests, allowing analysts to uncover hidden payloads and accelerate containment.

Why It Matters

This development highlights a significant evolution in phishing tactics where the attack surface shifts from the email client to the browser environment, rendering many existing perimeter defenses obsolete. For AI and security practitioners, it underscores the necessity of integrating dynamic, behavioral analysis tools that can inspect rendered web pages rather than relying solely on static signature or URL reputation checks. Addressing this blind spot is crucial for reducing mean time to detect (MTTD) and mean time to respond (MTTR) in high-value enterprise environments.

Technical Details

  • Encryption Mechanism: The malicious landing page delivers HTML encrypted with AES-GCM, which remains inert during initial transmission and static analysis but decrypts and executes upon rendering in the browser.
  • Authentication Bypass: Utilizes Microsoft Device Code Phishing, guiding victims through a standard Microsoft login interface to authorize OAuth tokens, thereby gaining persistent access to Microsoft 365 accounts without credential theft.
  • Detection Evasion: By hiding the payload until the DOM is populated, the attack evades network proxies, email gateways, and static URL scanners that do not execute JavaScript or render HTML.
  • Investigation Methodology: Detection relies on interactive sandbox environments (e.g., ANY.RUN) that monitor Fetch/XHR requests, track DOM snapshots for sudden content injection, and trace API calls to endpoints like /api/device/start.
  • Data Exposure: Successful attacks lead to unauthorized access to corporate email, files, and cloud services, with significant prevalence reported in consulting, finance, and manufacturing sectors.

Industry Insight

Security teams must prioritize browser-based telemetry and dynamic analysis capabilities over static URL filtering to close the visibility gap created by encrypted or obfuscated web payloads. Implementing automated sandboxing workflows that generate AI-assisted summaries and actionable IOCs can significantly reduce the workload on Tier 2 analysts and accelerate incident containment. Organizations should also enforce strict monitoring of OAuth application permissions and device code flows to detect anomalous authorization patterns indicative of device code phishing.

TL;DR

  • EvilTokens活动利用“幽灵钓鱼”技术,通过AES-GCM加密HTML并在浏览器端解密渲染,绕过传统静态URL和网络层检测。
  • 攻击结合Microsoft Device Code Phishing,诱导受害者完成合法登录流程以授权访问账户,无需窃取密码即可接管Microsoft 365。
  • 传统安全控制存在可见性盲区,导致响应延迟、证据不完整及运营成本增加,尤其威胁咨询、金融和制造业等高风险行业。
  • ANY.RUN交互式沙箱通过DOM快照、HTTP请求追踪和浏览器级数据检查,揭示解密后的恶意行为,提供完整的取证证据。
  • 自动化报告生成与AI摘要功能优化了SOC的工作流,加速从一级到二级分析师的案件交接,提升遏制效率和检测覆盖率。

为什么值得看

本文揭示了动态加密钓鱼攻击如何规避现有邮件安全网关,强调了从静态URL检查转向浏览器级行为分析的必要性。对于AI和安全从业者而言,理解这种“隐藏直到渲染”的攻击模式有助于更新检测策略,减少误报并缩短平均响应时间。

技术解析

  • Ghost Phishing机制:攻击页面初始状态为加密的HTML(使用AES-GCM),仅在用户浏览器中加载后通过JavaScript解密并注入DOM,从而在静态扫描阶段保持隐蔽。
  • Device Code Phishing:利用Microsoft合法的OAuth设备代码流,欺骗用户扫描QR码或输入代码,使攻击者获得长期访问令牌,而非直接窃取凭据。
  • 浏览器级取证:通过ANY.RUN沙箱捕获解密后的DOM快照、Fetch/XHR网络请求以及最终重定向的URL,还原完整的攻击链和基础设施指标(IOCs)。
  • 自动化调查工作流:系统自动将原始浏览器数据转化为结构化报告,包含AI生成的摘要和建议步骤,支持从Tier 1到Tier 2的高效案件移交。

行业启示

  • 检测范式转移:企业需从依赖静态签名和URL信誉转向基于行为的检测,特别是引入浏览器自动化测试和交互式沙箱作为标准防御组件。
  • 零信任与MFA强化:鉴于Device Code Phishing可绕过传统密码保护,应严格监控异常的设备代码授权请求,并考虑限制非必要的应用程序访问权限。
  • 运营效率优化:采用具备自动化证据收集和报告功能的工具,可显著降低分析师的认知负荷,加快从检测到遏制的闭环速度,降低整体安全运营成本。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全