A new “ghost phishing” campaign called EvilTokens uses encrypted phishing pages that only decrypt and display malicious content within the victim's browser, bypassing traditional email and URL security checks. This technique primarily targets Microsoft 365 users across industries in the US and Europe, enabling account takeover without stealing passwords directly and complicating detection and response efforts. Security teams are urged to adopt browser-level sandboxing tools that reveal hidden phishing behaviors in real time to shorten exposure windows and improve incident containment.
https://thehackernews.com/2026/07/new-ghost-phishing-wave-is-breaking.html

