Ghost Phishing Never Asks for Your Password: Defending Microsoft 365 Against Encrypted-Page and Device-Code Attacks (2026)

Per The Hacker News (8 July 2026) and ANY.RUN researchers, a phishing kit tracked as EvilTokens is targeting businesses across the United States and Europe with a technique the researchers call ghost phishing. The lure HTML is AES-GCM encrypted and decrypts only inside the victim\u2019s browser, so secure email gateways and URL scanners see a clean page. The kit then abuses Microsoft\u2019s legitimate Device Code Authentication flow: the victim enters a valid code on the real Microsoft page and unknowingly issues the attacker a token for their Microsoft 365 account. This defeats both URL-scanning-centric email security and password-centric defences. The six-point defence playbook is inside.

CALL IT DEV — Software, AI and dedicated tech teams — Casablanca | Madrid | Dubai

Ghost Phishing Never Asks for Your Password: Defending Microsoft 365 Against Encrypted-Page and Device-Code Attacks (2026)

What The Hacker News and ANY.RUN reported on 8 July 2026

On **8 July 2026**, **The Hacker News**, citing analysis from researchers at **ANY.RUN**, described an active phishing campaign the researchers call **ghost phishing**, delivered by a phishing kit tracked as **EvilTokens**. The reporting places the campaign against businesses across the **United States and Europe**, with the most-targeted sectors listed as **consulting, financial services, manufacturing, technology, banking, education and MSSPs**.

Two design choices in the kit are what make it operationally different from the phishing patterns most secure email gateways were tuned against.

First, the malicious page itself is **AES-GCM encrypted**. The HTML payload delivered from the phishing infrastructure is a small loader plus an encrypted blob; the readable page — the lure form, the Microsoft-lookalike surfaces, the branding — is **decrypted client-side inside the victim\u2019s browser** using a key fetched at page load. A gateway or URL scanner that renders the page in a sandbox without executing the full JavaScript decryption chain sees a benign shell. Automated content-based scoring under-reacts. The link scores low. The email is delivered.

Second — and this is the point buyers most often miss — the kit **does not ask for the victim\u2019s password**. Instead, it abuses Microsoft\u2019s legitimate **Device Code Authentication** flow. The device code flow is the standards-track mechanism (RFC 8628, OAuth 2.0 Device Authorization Grant) that Microsoft supports for devices without a browser or keyboard — the TV app, the CLI on a headless server, the IoT device. The flow issues a short code, asks the user to visit a well-known Microsoft URL (typically \

Preguntas Frecuentes

What is ghost phishing and how does it differ from classic phishing?

Per The Hacker News (8 July 2026) and ANY.RUN researchers, ghost phishing is a phishing kit family (tracked as EvilTokens) that combines two design choices absent from classic phishing. First, the lure page is AES-GCM encrypted and decrypts only inside the victim's browser, so a secure email gateway or URL scanner rendering the page in a sandbox without executing the full JavaScript decryption chain sees a benign shell and scores the link as clean. Second, the kit does not ask for the password: it abuses Microsoft's legitimate Device Code Authentication flow (RFC 8628 device authorization grant) so the victim signs in with their real credentials and completes MFA on the genuine Microsoft page, and Microsoft correctly issues the resulting token to the attacker's device. Classic phishing steals credentials; ghost phishing has a valid, MFA-completed token handed to it by design.

Which sectors and regions is EvilTokens targeting?

Per The Hacker News reporting citing ANY.RUN, EvilTokens campaigns have been observed against businesses across the United States and Europe, with the most-targeted sectors listed as consulting, financial services, manufacturing, technology, banking, education and managed security service providers (MSSPs). Separately, Varonis researchers documented a related device-code phishing campaign they call Rogue Agent in late June through early July 2026, which uses collaboration-themed lures — shared-document invites, team-collaboration prompts and meeting-join notifications — as the pretext for asking the user to complete the device code flow. The two campaigns are separately attributed but share the same underlying consent-flow abuse primitive.

Why does this defeat MFA even when MFA is correctly configured?

Because MFA is completed by the victim on the genuine Microsoft page as intended, and the token issued at the end of that flow is delivered to the attacker's device by the specification of the device code flow. There is no anomalous MFA prompt to escalate, no impossible-travel signal, and no failed-login pattern. From the identity platform's point of view the sign-in is normal and complete. This is the operative difference from infostealer session-hijacking, where the endpoint is compromised and the cookie is stolen after MFA; ghost phishing needs no endpoint compromise because the token is issued to the attacker at the front door.

What is the single highest-leverage defensive control?

A Conditional Access policy that blocks or scopes the device code flow for interactive users. Microsoft supports targeting Conditional Access at the device code flow as an authentication-flow condition. The recommended posture is to block the device code flow tenant-wide by default and grant it only through a narrowly-scoped exception group covering the specific accounts that legitimately need it (kiosk devices, named IoT service accounts, specific engineering scenarios). A blocked device code flow returns an error at Microsoft's side; the attacker never receives a token; the lure has nothing to hand off to. Every other control on the six-point playbook complements this one; none replaces it.

How does ghost phishing differ from the June 2026 Azure CLI legacy-auth campaign?

The June 2026 password-spray plus ROPC campaign documented by Huntress is a protocol-level failure: the tenant enforces MFA on modern flows but leaves the ROPC OAuth path (or other legacy authentication) uncovered, so a valid-but-breached password succeeds without MFA. The fix is a tenant-wide Conditional Access block of legacy authentication plus rotation of credentials appearing in prior breaches. Ghost phishing / device-code abuse is a social-engineering failure at a standards-track consent flow: there is no legacy protocol involved, and the fix set is Conditional Access on the device code flow, phishing-resistant MFA, browser-side detection and consent-flow-specific user training. Buyers who address only one of the two leave the other open on the same tenant.

How does Call IT Dev deliver managed defence against ghost phishing at mid-market pricing?

Call IT Dev pairs a cybersecurity managed-services engagement — Conditional Access review of the device code flow, FIDO2 rollout for privileged accounts, browser-side telemetry, token-revocation runbook, and 24/7 identity monitoring — with a technical-support engagement covering the user-facing side (consent-flow training module, report-a-lure workflow, L1/L2 triage of user-reported suspicious sign-in prompts) and a cloud-infrastructure engagement covering tenant-side hardening (Conditional Access, enterprise-browser policy, device compliance). Delivery is 24/7 from Casablanca, Rabat and Kenitra, with delivery cover from Madrid and Dubai, at a nearshore Morocco cost basis that keeps a full-stack 24/7 identity-security engagement inside a mid-market envelope without cutting bench seniority.

CALL IT DEV — Software, AI and dedicated tech teams — Casablanca | Madrid | Dubai — contact@callitdev.com — +212-537-373777