Bottom line: Ghost phishing techniques hide malicious pages in encryption until they are decoded in the browser, thereby circumventing traditional email security controls.
A new phishing campaign called EvilTokens uses encrypted pages that are only decoded in the victim’s browser – thus bypassing classic URL-based email filters. The attacks target companies in the US and Europe.
The EvilTokens campaign is an attack wave targeting companies in North America and Europe. The distinguishing feature lies in the so-called ghost phishing method: the malicious target page remains hidden during email transmission and traditional security checks. Only when the victim clicks on the link and the page loads in their own browser does the malicious payload decode and become active.
This presents a significant vulnerability for security teams. URL-based filtering in email gateways and threat intelligence systems cannot inspect and classify the page in its encrypted form. The result: phishing emails with this pattern can pass through traditional protection measures and trick users into clicking.
The attack target is likely to be aimed at compromising Microsoft 365 accounts, with the goal of stealing credentials and gaining lateral access into networks. Rapid detection and response are further hindered by this technique, as the malware only sends signals after decoding in the browser.
Source: thehackernews.com · Published July 8, 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.3.