Based on ANY.RUN’s sandbox submissions data from 15,000 organizations, phishing exposure in 2026 reached 75.6% in consulting, 72.8% in financial services, 71.9% in manufacturing, 67.9% in technology, 66.7% in banking, and 66.1% among MSSPs.
How EvilTokens' "ghost phishing" operates
The campaign described by ANY.RUN uses an EvilTokens kit that leverages Microsoft Device Code Phishing to trick victims into completing an otherwise legitimate Microsoft login flow and unknowingly authorizing access to their Microsoft 365 accounts. The kit does not need to capture a password directly: instead, it persuades the user to complete the device-code flow and grants access.
Crucially, the phishing page’s HTML is encrypted with AES‑GCM and only becomes visible after the victim’s browser decrypts and renders it into the DOM. In practice that means the malicious content is dormant during static inspection of the URL or the initial network response and “comes to life” only inside the user’s browser.
Why traditional email and network controls miss the attack
Because the malicious payload is encrypted and rendered client‑side, static URL checks and many network‑level controls can capture only the initial response — not what the user actually sees. ANY.RUN’s analysis lists specific operational consequences of that visibility gap, including:
- Longer exposure to Microsoft 365 account takeover
- Delayed containment and response decisions
- Unauthorized access to corporate email, files, and cloud services
- More inconclusive alerts escalated to senior analysts
- Higher investigation workload and operational costs
- Incomplete evidence for blocking related infrastructure
Where this wave is hitting — sectors and geography
ANY.RUN reports recent EvilTokens activity concentrated across the United States and Europe and targeting a cross‑section of sectors: technology, manufacturing, education, banking, consulting, financial services, and managed security providers. The high exposure rates in consulting, financial services, manufacturing, technology, banking and MSSPs make hidden phishing particularly dangerous for organizations that rely on Microsoft 365 for email and cloud services.
ANY.RUN warns that the longer a ghost phishing page remains invisible to detection, the greater the chance that a single compromised Microsoft 365 account will turn into a wider business incident, exposing sensitive data and enabling business email compromise and fraud.
How ANY.RUN’s Interactive Sandbox reveals the hidden flow
ANY.RUN’s investigation exposed the complete attack flow by running the link in an Interactive Sandbox that supports in‑browser inspection. Analysts watching the session moved beyond the encrypted AES‑GCM response and observed the phishing content when it rendered in the DOM. The sandbox tied that visual change to backend activity: Fetch/XHR requests and the Microsoft device code traced back to the /api/device/start endpoint.
The sandbox’s in‑browser evidence package includes DOM snapshots that show when the hidden page changes, HTTP request logs that reveal backend communications behind the device‑code flow, URL details that expose final destinations and triggered signatures, and indicators such as domains, endpoints and hashes for hunting and containment. ANY.RUN argues this view reduces the need to reconstruct the attack manually and provides artifacts that support faster blocking and detection.
What this means for security teams, senior analysts, and affected enterprises
Security teams: The source recommends opening suspicious links in an environment that captures in‑browser behavior so analysts can observe decrypted content and link it to backend requests; this is presented as the most effective way to “expose ghost phishing.”
Senior analysts and SOC handoffs: ANY.RUN says the interactive investigation automatically generates a report with an AI summary and recommended next steps, allowing Tier 2 and senior analysts to receive key findings, observed behavior and indicators in one package — shortening handoffs and reducing duplicated work.
Affected enterprises and procurement leaders: For organizations that depend on Microsoft 365, the report frames browser‑level inspection as a pragmatic control to shrink the exposure window, accelerate containment, and lower the operational cost of phishing response.
The EvilTokens case exposes a practical blind spot: an email message and its URL can appear safe while a live, encrypted phishing flow activates in the browser. ANY.RUN’s analysis ties that invisibility directly to measurable operational harms and to a concrete mitigation — capture the rendered page and its requests inside an interactive browser sandbox so that the SOC can make evidence‑based containment decisions before a single Microsoft 365 account becomes a wider business incident.




