On **8 July 2026**, **The Hacker News**, citing analysis from researchers at **ANY.RUN**, described an active phishing campaign the researchers call **ghost phishing**, delivered by a phishing kit tracked as **EvilTokens**. The reporting places the campaign against businesses across the **United States and Europe**, with the most-targeted sectors listed as **consulting, financial services, manufacturing, technology, banking, education and MSSPs**.
Two design choices in the kit are what make it operationally different from the phishing patterns most secure email gateways were tuned against.
First, the malicious page itself is **AES-GCM encrypted**. The HTML payload delivered from the phishing infrastructure is a small loader plus an encrypted blob; the readable page — the lure form, the Microsoft-lookalike surfaces, the branding — is **decrypted client-side inside the victim\u2019s browser** using a key fetched at page load. A gateway or URL scanner that renders the page in a sandbox without executing the full JavaScript decryption chain sees a benign shell. Automated content-based scoring under-reacts. The link scores low. The email is delivered.
Second — and this is the point buyers most often miss — the kit **does not ask for the victim\u2019s password**. Instead, it abuses Microsoft\u2019s legitimate **Device Code Authentication** flow. The device code flow is the standards-track mechanism (RFC 8628, OAuth 2.0 Device Authorization Grant) that Microsoft supports for devices without a browser or keyboard — the TV app, the CLI on a headless server, the IoT device. The flow issues a short code, asks the user to visit a well-known Microsoft URL (typically \
Per The Hacker News (8 July 2026) and ANY.RUN researchers, ghost phishing is a phishing kit family (tracked as EvilTokens) that combines two design choices absent from classic phishing. First, the lure page is AES-GCM encrypted and decrypts only inside the victim's browser, so a secure email gateway or URL scanner rendering the page in a sandbox without executing the full JavaScript decryption chain sees a benign shell and scores the link as clean. Second, the kit does not ask for the password: it abuses Microsoft's legitimate Device Code Authentication flow (RFC 8628 device authorization grant) so the victim signs in with their real credentials and completes MFA on the genuine Microsoft page, and Microsoft correctly issues the resulting token to the attacker's device. Classic phishing steals credentials; ghost phishing has a valid, MFA-completed token handed to it by design.
Per The Hacker News reporting citing ANY.RUN, EvilTokens campaigns have been observed against businesses across the United States and Europe, with the most-targeted sectors listed as consulting, financial services, manufacturing, technology, banking, education and managed security service providers (MSSPs). Separately, Varonis researchers documented a related device-code phishing campaign they call Rogue Agent in late June through early July 2026, which uses collaboration-themed lures — shared-document invites, team-collaboration prompts and meeting-join notifications — as the pretext for asking the user to complete the device code flow. The two campaigns are separately attributed but share the same underlying consent-flow abuse primitive.
Because MFA is completed by the victim on the genuine Microsoft page as intended, and the token issued at the end of that flow is delivered to the attacker's device by the specification of the device code flow. There is no anomalous MFA prompt to escalate, no impossible-travel signal, and no failed-login pattern. From the identity platform's point of view the sign-in is normal and complete. This is the operative difference from infostealer session-hijacking, where the endpoint is compromised and the cookie is stolen after MFA; ghost phishing needs no endpoint compromise because the token is issued to the attacker at the front door.
A Conditional Access policy that blocks or scopes the device code flow for interactive users. Microsoft supports targeting Conditional Access at the device code flow as an authentication-flow condition. The recommended posture is to block the device code flow tenant-wide by default and grant it only through a narrowly-scoped exception group covering the specific accounts that legitimately need it (kiosk devices, named IoT service accounts, specific engineering scenarios). A blocked device code flow returns an error at Microsoft's side; the attacker never receives a token; the lure has nothing to hand off to. Every other control on the six-point playbook complements this one; none replaces it.
The June 2026 password-spray plus ROPC campaign documented by Huntress is a protocol-level failure: the tenant enforces MFA on modern flows but leaves the ROPC OAuth path (or other legacy authentication) uncovered, so a valid-but-breached password succeeds without MFA. The fix is a tenant-wide Conditional Access block of legacy authentication plus rotation of credentials appearing in prior breaches. Ghost phishing / device-code abuse is a social-engineering failure at a standards-track consent flow: there is no legacy protocol involved, and the fix set is Conditional Access on the device code flow, phishing-resistant MFA, browser-side detection and consent-flow-specific user training. Buyers who address only one of the two leave the other open on the same tenant.
Call IT Dev pairs a cybersecurity managed-services engagement — Conditional Access review of the device code flow, FIDO2 rollout for privileged accounts, browser-side telemetry, token-revocation runbook, and 24/7 identity monitoring — with a technical-support engagement covering the user-facing side (consent-flow training module, report-a-lure workflow, L1/L2 triage of user-reported suspicious sign-in prompts) and a cloud-infrastructure engagement covering tenant-side hardening (Conditional Access, enterprise-browser policy, device compliance). Delivery is 24/7 from Casablanca, Rabat and Kenitra, with delivery cover from Madrid and Dubai, at a nearshore Morocco cost basis that keeps a full-stack 24/7 identity-security engagement inside a mid-market envelope without cutting bench seniority.
CALL IT DEV — Software, AI and dedicated tech teams — Casablanca | Madrid | Dubai — contact@callitdev.com — +212-537-373777