🟠 High  |  Source: The Hacker News


A phishing campaign dubbed EvilTokens is using ‘ghost phishing’ to evade traditional email security tools by keeping malicious payloads encrypted until they are decrypted and rendered live inside the victim’s browser. This means standard URL reputation checks and email gateway scanners see nothing suspicious at the point of delivery. Businesses using Microsoft 365 are particularly at risk, as successful attacks can result in account compromise and sensitive data exposure.

Security Architect’s Take: Review your reliance on static URL scanning at the email gateway — consider deploying browser isolation or remote browser rendering for all inbound links, and enable Microsoft 365 Defender’s Safe Links with dynamic, time-of-click detonation to catch payloads that only materialise in the browser. Audit conditional access policies and enforce phishing-resistant MFA (e.g. FIDO2) to limit the blast radius if credentials are harvested.

Original advisory: New Ghost Phishing Wave Is Breaking Traditional Email Security