CyberSecurity

The Ghost Phishing Wave That Makes Traditional Email Security Blink

Published

on

The Invisible Threat That Activates Inside Your Browser

A fresh wave of attacks is quietly dismantling the assumptions behind most corporate email defenses. Dubbed “ghost phishing,” the technique comes from a campaign security researchers are tracking as EvilTokens — and it’s already hitting businesses across the US and Europe.

Here’s what makes it different: the malicious page doesn’t exist when the email lands. It doesn’t appear when the URL scanner checks it. It only springs to life — fully formed and dangerous — after it decrypts inside the victim’s browser. By then, the damage is often underway.

For CISOs and security teams, this isn’t just another phishing variant. It’s a direct attack on the core assumption that scanning a link at the time of delivery is enough.

How EvilTokens Turns a Blind Spot Into a Breach

The EvilTokens campaign works by embedding a URL that points to a seemingly harmless page. Standard email security tools — the kind that inspect links in real time — see nothing suspicious. The page is blank, or returns a benign status code. It passes every check.

But that URL contains an encrypted payload. When the recipient clicks it, the page decrypts inside the browser using client-side JavaScript. Suddenly, a convincing login page for Microsoft 365 appears. The victim, believing they’ve hit a legitimate authentication screen, enters their credentials. The attackers now have access to email, files, and whatever else sits behind that account.

This is not a theoretical flaw. Researchers have documented active compromises tied to the campaign, with attackers moving quickly from credential theft to data exfiltration and lateral movement inside corporate networks.

Why Traditional Email Security Misses the Mark

Most email security platforms rely on a handful of techniques: reputation analysis, URL sandboxing, and machine learning models trained on known malicious patterns. They work well against conventional phishing — the kind where the malicious page is already live when the link is checked.

Ghost phishing breaks that model entirely.

Because the malicious content is encrypted and only rendered client-side, there’s nothing for the scanner to find. No malicious JavaScript. No fake login form. No phishing indicators. The page is a ghost — invisible until the moment it needs to be seen by the victim, not the security tool.

This approach also evades time-of-click inspection, a more advanced protection that re-checks URLs when the user clicks. If the page still hasn’t decrypted at that moment, it passes again. The attack only reveals itself milliseconds later, inside the browser’s rendering engine.

What This Means for Microsoft 365 Defenders

The campaign specifically targets Microsoft 365 credentials, making it a direct threat to the thousands of organizations that rely on the platform for email, collaboration, and cloud storage. Once an attacker has a valid session token or password, they can access Microsoft 365 security settings, reset multi-factor authentication, and exfiltrate data without triggering alarms.

Security teams need to ask a hard question: if your email gateway can’t see the attack, what is your second line of defense?

Practical Defenses Against Ghost Phishing

There is no single magic bullet for ghost phishing, but a layered approach can significantly reduce risk.

  • Browser-level isolation: Technologies like remote browser isolation execute all web content in a sandboxed environment. Even if a page decrypts maliciously, it never touches the user’s actual browser or network.
  • Behavioral analytics for email: Look for anomalies in sender behavior, reply patterns, and email routing — not just link reputation. The EvilTokens campaign often uses compromised legitimate accounts to send the phishing emails.
  • Client-side JavaScript monitoring: Some endpoint detection tools can flag unexpected JavaScript decryption or DOM manipulation, even if the initial URL was clean.
  • User reporting and rapid response: Since no filter catches every ghost phish, a strong reporting culture and automated incident response workflow are critical. Every second counts when credentials are being harvested.

These defenses don’t replace traditional email security — they supplement it. The goal is to catch what the scanners miss, and to limit damage when a user does fall for the lure.

The Bigger Picture: A New Category of Email Attack

Ghost phishing represents a structural shift in how attackers think about evasion. Instead of trying to hide from scanners through obfuscation or domain rotation — tactics that security vendors have learned to counter — they simply refuse to show the malicious content until the scanner has already moved on.

This is harder to build than a typical phishing kit. It requires careful encryption logic, reliable decryption in the browser, and a delivery chain that avoids raising suspicion. The fact that EvilTokens is already operational suggests that attackers are investing in sophistication, not just volume.

For security leaders, the takeaway is uncomfortable but clear: the email security stack that worked five years ago is no longer sufficient. The ghosts are already inside the machine. The question is whether your defenses can see them.

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending

Exit mobile version