The EvilTokens campaign marks a critical evolution in phishing tactics. Threat actors are deploying "ghost phishing" attacks that circumvent traditional email security layers by hiding malicious content until it executes within the victim's browser.

The technique works by encrypting the phishing payload in initial messages sent to businesses across the US and Europe. Email security gateways that scan for malicious URLs find nothing suspicious in the encrypted link. Only when a user clicks and the page loads does the payload decrypt and reveal itself as a credential harvester targeting Microsoft 365 accounts.

This represents a direct failure of signature-based and URL-reputation defenses. Standard email filters check links against known threat databases before messages reach users. Ghost phishing inverts this timeline. The malicious content remains dormant during inspection, then activates post-delivery when traditional controls no longer apply.

The operational impact centers on speed and scope. Attackers gain access to Microsoft 365 credentials, which unlock email, OneDrive, Teams, and downstream systems. Response teams face compressed timelines to detect compromise, revoke tokens, and contain lateral movement. Organizations relying solely on URL filtering leave this attack surface exposed.

Defenders need layered detection beyond gateway scanning. This includes browser-based protections that catch malicious behavior during page rendering, user training on encrypted or dynamically-generated links, and credential monitoring for unusual sign-in patterns. Microsoft 365 Defender and similar endpoint solutions should flag suspicious authentication activity post-compromise.

The EvilTokens campaign demonstrates how encryption, when weaponized, converts it from a privacy tool into an evasion mechanism. Phishing remains the entry vector for most ransomware and data breach campaigns. When traditional email defenses fail, attackers move deeper into networks faster.

Organizations should assume ghost phishing variants will proliferate. Relying on email gates alone leaves organizations vulnerable.