Ghost Phishing Wave Exploits New Email Security Blind Spot
A recent Evil Tokens campaign, identified as "ghost phishing," is exploiting a new vulnerability in email security protocols, targeting businesses across the United States and Europe. This sophisticated attack method circumvents traditional security measures by keeping the malicious content hidden until it is decrypted and activated directly within the victim's web browser. The technique poses a significant risk to organizations, as standard URL scanning and analysis may fail to detect the threat before it fully materializes.
The "ghost phishing" attacks leverage a multi-stage process where initial emails appear benign, containing only a small, encrypted payload. Once the victim interacts with the email, for instance, by clicking a seemingly harmless link or opening an attachment, the payload is downloaded. Subsequently, JavaScript code embedded within the content triggers the decryption process. This decryption reveals the phishing page, which then prompts the user for sensitive information, such as login credentials for platforms like Microsoft 365. The delay between the initial interaction and the appearance of the malicious page is key to its evasiveness.
Security researchers have noted that this method bypasses many existing security controls that rely on analyzing static URLs or known malicious domains. By delaying the rendering of the phishing page until runtime within the browser, the attack effectively hides its true nature from automated security scanners. This allows attackers to gain access to Microsoft 365 accounts, potentially leading to the exfiltration of sensitive corporate data and significant disruption to business operations. The speed of response is critical once such an attack is detected, as the damage can escalate rapidly.
The Evil Tokens campaign highlights an evolving threat landscape where attackers are continuously developing novel techniques to evade detection. Traditional security solutions, which often focus on perimeter defenses and known threat signatures, are proving insufficient against these more dynamic and evasive methods. Organizations are advised to enhance their security postures with advanced threat detection capabilities that can analyze behavior within the browser and detect suspicious decryption or redirection activities, even when the initial payload is innocuous.
Original source — read the full reporting at the publisher:
Read on The Hacker News