logo

New EvilTokens Attack Exposes Browser Visibility Gap in Enterprise SOCs

ID: b23a7093-5918-5be8-80b2-9d6245d21447

STIX ID: report--b23a7093-5918-5be8-80b2-9d6245d21447

Feed Name: HackRead

Threat Score
70/100

Date Published: 2026-06-30

Date Updated: 2026-07-02

Author: Owais Sultan

...
...

ANY.RUN reports on the EvilTokens phishing campaign that targets enterprise Microsoft 365 users in the US and Europe across industries (banking, technology, education, manufacturing, financial services, MSSPs). The campaign abuses Microsoft’s OAuth device-code workflow and hides the phishing page as an AES-GCM-encrypted payload which is only revealed after browser-side JavaScript decrypts and renders it, creating a visibility gap for SOC teams; ANY.RUN’s interactive sandbox can expose the full workflow within about a minute to aid detection and response.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.