EvilTokens: How “Ghost” Code Threatens US and European Businesses
ID: 49450622-08c8-5ca4-a02e-414d736cc1dc
STIX ID: report--49450622-08c8-5ca4-a02e-414d736cc1dc
Feed Name: ANY.RUN's Cybersecurity Blog
This report analyzes EvilTokens, a phishing kit that hides its malicious landing page using AES-GCM browser-side decryption and leverages Microsoft OAuth device-code flow to obtain Microsoft 365 account access without harvesting passwords; it shows how ANY.RUN’s interactive sandbox reveals decrypted DOM content, traces requests to endpoints such as /api/device/start, /api/device/status and /api/device/gate/<PAGE_ID>, and extracts IOCs and signatures to help SOCs and MSSPs triage, detect, and respond to targeted campaigns in the United States and Europe.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
