# New Ghost Phishing wave via EvilTokens campaign is breaking traditional email security

_Wednesday, July 8, 2026 at 8:00 AM EDT · Security · Latest · Tier 2 — Notable_

![New Ghost Phishing wave via EvilTokens campaign is breaking traditional email security — Primary](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgl6gaxMQBH0Bjb1ZhuaOiM5gKEk-zuSf821eRfV33ogx6YWwENunjyOPF8VXHtgtHgIevENLfBV2O04QI4TtjtDe2PGGevWptQEEagmp6q-G4FqOankGokz70XzVtz7dmNbEZ5G7-pV0yINgd2-ima7ap8xeOxuhZBKw2WPoUo81wKmGrwsPxbzYkW5Wk/s1700-e365/anyrun-main.jpg)

A recent EvilTokens phishing campaign targeting businesses in the United States and Europe is using a method The Hacker News describes as "ghost phishing," according to a July 8, 2026 report on the site that draws on analysis from security firm ANY.RUN.

The report says the technique keeps a malicious page hidden until it decrypts and loads inside a victim's browser. Phishing kit HTML is encrypted with AES-GCM and becomes visible only after the browser decrypts it and renders the content in the DOM, so static URL checks and network-level controls may not see what the user sees, The Hacker News reported.

According to the article, the kit uses Microsoft Device Code Phishing to push victims through a legitimate Microsoft login flow that can authorize access to Microsoft 365 accounts without directly stealing a password.

ANY.RUN's threat intelligence, as cited by The Hacker News, shows recent EvilTokens activity concentrated in the U.S. and Europe against sectors including technology, manufacturing, education, banking, consulting, financial services and managed security providers. ANY.RUN sandbox data from 15,000 organizations found 2026 phishing exposure of 75.6% in consulting, 72.8% in financial services, 71.9% in manufacturing, 67.9% in technology, 66.7% in banking and 66.1% among MSSPs, the report said. The full attack flow was observed in ANY.RUN's Interactive Sandbox, according to The Hacker News.

## Sources

- [The Hacker News](https://thehackernews.com/2026/07/new-ghost-phishing-wave-is-breaking.html)

---
Canonical: https://techandbusiness.org/newswire/64ZDbtmu2xZbJJuh84yEvH
Retrieved: 2026-07-08T22:48:22.906Z
Publisher: Tech & Business (techandbusiness.org)
