'Ghost Phishing' Campaign Slips Past Email Filters by Hiding Until It Reaches the Victim
The EvilTokens operation is hitting companies across the US and Europe with pages that stay encrypted in transit and only unlock inside the target's browser.

Key points
- A phishing campaign called EvilTokens is targeting businesses in the United States and Europe with a technique researchers are calling 'ghost phishing'.
- The fake login pages arrive encrypted and only assemble themselves inside the victim's web browser, which lets them slip past standard URL and email scanners.
- The main prize for the criminals is Microsoft 365 account access, giving them a way into corporate email, files, and internal chats.
- Security teams say traditional link-checking tools cannot see the malicious content because it does not exist in a readable form until the page loads.
A fresh wave of phishing attacks is quietly picking off business accounts on both sides of the Atlantic, and the trick behind it is designed specifically to defeat the security scanners most companies rely on.
The campaign has been named EvilTokens by the researchers tracking it. First reported by The Hacker News, it is hitting targets across the United States and Europe.
Phishing, for readers new to the term, is when criminals send fake emails or messages that try to trick staff into typing their passwords into a lookalike website. It is the single most common way corporate networks get broken into.
What makes this campaign different is how the fake page is delivered.
What is 'ghost phishing' and why does it matter?
Ghost phishing is a technique where the malicious web page is not actually present when a security tool inspects the link. The page arrives scrambled, and only unscrambles itself once it is running inside the victim's browser.
Think of it like a letter that looks blank when the post office X-rays it, but reveals its message only when the recipient holds it up to a specific lamp at home. By the time the words appear, the mail room has already waved it through.
Most email security products work by following links in a message and looking at what is on the other end. If the page looks like a Microsoft login clone, the link gets blocked. Ghost phishing sidesteps that check entirely, because at the moment of inspection there is nothing suspicious to see. The dangerous content is encrypted and only decrypts in the target's browser.
What are the attackers after?
Microsoft 365 credentials, mainly. That is the username and password combination staff use to sign in to Outlook, Teams, SharePoint and OneDrive.
Once criminals have a working Microsoft 365 login, they can read a company's email, download files, impersonate the account owner in messages to colleagues, and often pivot to steal money through fake invoice requests. In many break-ins investigated over the past two years, a single stolen Microsoft 365 account was the starting point.
The campaign name, EvilTokens, hints at a further twist. Modern login systems issue small digital passes called tokens after you sign in, so you do not have to type your password again for a while. If attackers grab those tokens, they can often stay logged in even after the victim changes their password.
What should ordinary staff watch for?
The usual signs still apply. An unexpected email asking you to log in to view a document, a shared file from someone you were not expecting, or a login page that appears after clicking a link in a message rather than after you typed the address yourself.
If a Microsoft sign-in screen pops up when you were not trying to sign in, close the tab. Go to office.com by typing it directly. If there really was a document waiting, it will be there.
For security teams, the practical takeaway is blunt. Link-scanning at the email gateway is no longer enough on its own. Detections that watch what happens inside the browser, and controls that flag unusual sign-in behaviour on Microsoft 365 accounts, are doing the heavier lifting now.
No victim companies have been publicly named, and no ransom or extortion component has been tied to the campaign so far. The goal, for the moment, appears to be quiet account takeover.



