New EvilTokens Attack Exposes Browser Visibility Gap in Enterprise SOCs
ID: b23a7093-5918-5be8-80b2-9d6245d21447
STIX ID: report--b23a7093-5918-5be8-80b2-9d6245d21447
Feed Name: HackRead
ANY.RUN reports on the EvilTokens phishing campaign that targets enterprise Microsoft 365 users in the US and Europe across industries (banking, technology, education, manufacturing, financial services, MSSPs). The campaign abuses Microsoft’s OAuth device-code workflow and hides the phishing page as an AES-GCM-encrypted payload which is only revealed after browser-side JavaScript decrypts and renders it, creating a visibility gap for SOC teams; ANY.RUN’s interactive sandbox can expose the full workflow within about a minute to aid detection and response.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
