The Good Tech Companies - EvilTokens: How “Ghost” Code Threatens US and European Businesses
Episode Date: July 7, 2026This story was originally published on HackerNoon at: https://hackernoon.com/eviltokens-how-ghost-code-threatens-us-and-european-businesses. Learn how EvilTokens hides M...icrosoft 365 phishing behind browser-side decryption and how browser-level analysis helps SOC teams detect attacks faster. Check more stories related to undefined at: https://hackernoon.com/c/undefined. You can also check exclusive content about #entra-id-phishing-detection, #eviltokens-phishing-kit, #any.run-interactive-sandbox, #phishing-threat-intelligence, #microsoft-365-account-takeover, #microsoft-device-code, #microsoft-oauth-device-code, #good-company, and more. This story was written by: @anyrun. Learn more about this writer by checking @anyrun's about page, and for more stories, please visit hackernoon.com. EvilTokens conceals its phishing workflow behind browser-side AES-GCM decryption, making static URL analysis insufficient for detecting Microsoft 365 device code attacks. This article shows how browser-level inspection in ANY.RUN reveals decrypted pages, traces device-code phishing activity, uncovers related infrastructure through threat intelligence, and helps SOC teams investigate, detect, and contain attacks faster.
Transcript
Discussion (0)
This audio is presented by Hacker Noon, where anyone can learn anything about any technology.
Evil tokens.
How, Ghost, Code threatens U.S. and European businesses by any.
Run.
Evil tokens can hide serious account takeover risk from your society through ghost code
that appears only after browser-side decryption.
As a result, static URL analysis may miss the most important part of the attack,
leaving teams with incomplete evidence, slower triage, and longer exposure to app-atent
Microsoft 365 compromise. Full browser level inspection closes this gap by revealing how the page
behaves after execution in a dynamic environment. This gives teams the evidence they need to validate
the threat and respond faster. Key takeaways. Evil Tokens hides key parts of its fishing flow
behind browser side decryption, creating a visibility gap for static URL analysis. The kit abuses
Microsoft's legitimate device login flow to gain account access without directly stealing the victim's
password. Browser level evidence helps society teams reduce manual checks, avoid unnecessary escalations,
and make faster containment decisions. Threat intelligence pivots connect one evil tokens session
to related fishing kits, infrastructure, indicators, and wider device code fishing activity.
Decrypted code and behavioral patterns can also support stronger fishing signatures,
threat hunting, and custom detection rules. Evil tokens targeting regions and industries at risk.
According to any run threat intelligence data, recent evil tokens activity is concentrated mainly
in the United States and Europe. View recent evil tokens activity in any
run threat intelligence the kit has been observed targeting organizations in, managed security
services. Technology, manufacturing, education, banking, consulting and financial services. These findings
show that Evil Tokens is aimed largely at organizations where access to a single Microsoft 365 account
can expose sensitive data, internal communications, and connected business services. Why Evil Tokens creates
a blind spot for society teams. Evil Tokens continues to rank among the most frequently observed fishing
kits in ANY. Runs Weekly Threat Reports, a recent analysis session showed how the kit uses Microsoft
device code fishing to compromise accounts without stealing credentials directly.
Instead, it convinces the victim to complete Microsoft's legitimate device log-in flow and
unknowingly authorize access to their account.
Check analysis session with recent evil tokens attack what makes the attack difficult to investigate
is the way it hides its fishing content.
The landing page HTML is encrypted with AESGCM and becomes visible only after the browser decrips
it and renders it in the DOM.
Static URL checks and network level detection may therefore capture the initial response without
showing what the victim actually sees in the browser. This can leave SOC teams with an incomplete
verdict, force additional manual checks, trigger unnecessary escalations, and delay containment. This
visibility gap becomes a business risk. When society teams cannot see what a suspicious page
does after browser execution, the impact goes beyond a slower investigation. It can lead to
longer exposure to potential Microsoft 365 account takeover. Delayed containment and response
decisions, more alerts escalated to senior security staff, higher investigation workload and operational
costs, incomplete evidence for blocking related infrastructure, greater risk of unauthorized access to
corporate data and services. To validate the threat quickly, teams need visibility into what happens
after the page begins running. In the following walkthrough, we use any. Runs in browser data
inspection to uncover the decrypted page, trace the requests behind the device code flow, and collect
evidence for response and further detection. Uncover fishing activity hidden inside the browser. Give your
society the evidence to validate and respond faster. Contact US within asterisk browser
data inspection inside any runs interactive sandbox asterisk investigators can examine cases like this
across several layers HTML DOM changes to the DOM over time and allows investigators to
compare different snapshots of the same page it highlights byte level differences from the previous
DOM state making it easier to identify the exact moment when the decrypted fishing page appears
HTTP requests provides visibility into browser-level network activity, including requests involving HTML, JavaScript, Fetch, XHR, scripts, static assets, binary files, archives, and other request categories.
URL details displays the final URL and domain, SSL certificate information, DNSA records, request statistics, and triggered detection signatures.
indicators.
Collects indicators of compromise associated with the page, including top-level domains,
subdomains, URL endpoints, file hashes, iPad addresses, and ASN information.
Triage walkthrough using browser data.
The network traffic shows that evil tokens delivers the landing page in an HTT response
encrypted with AESGCM.
The decrypted HTML DOM of the page can be viewed in the browser data panel.
you can view snapshots of the DOM structure after the AESGCM encrypted code has been decrypted.
The HTML DOM changes fields contain the following information.
Time shift. The time elapsed from the start of the analysis when the DOM snapshot was captured.
Score. The risk level assigned to that particular state of the page.
As shown in the screenshot, the score is 100, which corresponds to the signatures triggered by that DOM state.
Size diff. The change in DOM size compared with the previous.
snapshot. Size. The size of the current DOM snapshot. Page. The domain associated with the snapshot.
The value that should draw your attention most is the green plus 4-8 byte size diff. By selecting the
fourth snapshot, you can see which line was removed and which line was added compared with the
previous snapshot. Looking at the render panel on the left, we can confirm that a user code
has appeared on the page. The attackers will later use this code to take over the victim's Microsoft
365 account. This suggests that the landing page dynamically requested the user code from the
back end through a fetch, XHR request. The request can be examined in the HTTP requests tab. By
comparing the time shift values of the HTTP request in the DOM snapshot, we can conclude that
the user code was obtained through a request to the appi device start endpoint. Clicking the URL
confirms this, pivoting from one evil token session to broader threat activity. The findings from a
single analysis session can be used to uncover related fishing infrastructure and activity.
Start with URL details, where the code exposed in the DoM triggered the Microsoft OAuth
device code fishing signature.
URL details displayed inside any.
Run sandbox searching for this signature in any.
Run's thread intelligence reveals other fishing resources that use similar code patterns,
TI query.
Rule name, carat Microsoft OAuth device code fishing has been detected dollar, search for analysis
that triggered the Microsoft OAuth device code fishing has been detected.
Signature the results show that this behavior is not unique to evil tokens.
Other fishing kits use similar code and techniques,
allowing teams to move beyond one isolated case
and identify a broader set off-related threats.
Expand one investigation into broader threat context,
strengthen detection and stop-related attacks before they spread,
improve thread detection to narrow the search specifically to evil tokens,
Use the following query.
Threat name. Evil tokens.
Threat intelligence data shows that recent evil tokens activity is concentrated mainly in the United States and Europe.
Teams can also track device code fishing activity more broadly using the Ooth MISFISHT tag.
TI query. Threat name Ooth MISFish.
This wider search helps teams identify related campaigns even when they are associated with a different fishing kit or infrastructure.
Next, return to browser data and OOFISFISH.
browser data and open the indicators tab. Not every artifact collected during the analysis should
be added to detection rules. For example, the observed IP address belongs to the Cloudflare Net Autonomous
System. Blocking or detecting this shared infrastructure could produce false positives and affect legitimate
services. More specific indicators from the session, including the domain,
RRI, and hash, are stronger candidates for further validation and detection. TI. Query, U.
appi, device, start, or domain name. Empo 1825. Workers. Dev Dollar, ORMD5, FCD1B-654A-0B3E8F85 CA7 CF DAF
494D4B. By pivoting on signatures, threat names, tags, and carefully selected IOCs,
teams can connect an individual alert to wider fishing activity, improve detection coverage,
and respond proactively to related attacks.
Breaking down the evil tokens attack logic, the HTML DOM changes view is useful not only for
triage but also for deeper code analysis.
By examining the decrypted page logic, teams can identify recurring patterns that may
support low-level fishing detection rules.
The following code shows the device code flow configuration.
Gate check and decoy delivery the first fragment shows the client sending a gate check request to skeptical smiley face appi device, gate, less than page underscore ID greater than the backend returns a killed flag that determines what happens next. If fishing flow remains active, the attack continues. Otherwise, the victim has shown a decoy page designed to resemble a Microsoft error or expired link message. This mechanism allows operators to disable the fishing page or hide its true behavior when certain visitors are contained.
conditions are detected. Requesting and displaying the user code the next fragment sends a post
request to underscore start URL skeptical smiley face appi device. Start the backend returns the
user code, session ID, and verification eury. The script then stores the session, constructs
underscore verification earl, and writes the user coding to the DOM for the victim. This is the same
activity observed earlier in the HTTP requests view, connecting the browser side code directly to the
the network request and the user code displayed on the page. Monitoring the device code session,
the front end then checks the status of the device code session through skeptical smiley face appi,
device, status. Session ID, it repeatedly sends get requests containing the current session ID
and receives the latest status from the back end. Once the status changes to completed,
the script stops polling, displays a success screen, and redirects the victim to the legitimate
OneDrive website. This final redirect helps the attack appear,
successful and legitimate, while the attackers retain the access authorized through the completed
Microsoft device login flow. By connecting the decrypted DOM code with browser requests and
visible page changes, teams can reconstruct the full phishing logic and identify code patterns,
endpoints, and behaviors that may strengthen future detection. Turning hidden browser activity
into faster society decisions, the evil tokens investigation shows the practical value of browser
level evidence. Instead of stopping at the encrypted HTTP response, teams can see the decrypted
DOM, identify the request that generated the user code, trace the device code session, and extract
artifacts for detection and threat hunting. This improves the investigation workflow in several
ways. Faster triage and fewer unnecessary escalations. Tier 1 analysts can validate suspicious URLs
using direct browser level evidence rather than relying on incomplete indicators. This reduces
uncertainty, speeds up verdicts, and keeps more benign cases from reaching senior teams.
Smoother handoff and faster response. When escalation is necessary, Tier 2 receives the full
attack context, including DOM changes, HTTP requests, triggered signatures, rendered content,
and relevant indicators. This reduces repeated work and supports faster containment decisions,
stronger detection engineering, decrypted page code, browser requests, endpoints, and behavioral
patterns provide useful material for custom fishing signatures, hunting hypotheses, and detection
rules-based own observed attacker behavior. More focused threat hunting. Teams can pivot from one
evil token session to related domains, code patterns, fishing kits, and device code attacks in ANY.
Runs threat intelligence, expanding the investigation beyond a single URL. Clearer reporting. Structured
investigation results turn complex browser activity into evidence that is easier to use during
during triage, escalation, incident response, and stakeholder communication. For society and MSSP teams,
this means less time spent reconstructing browser activity manually, better use of senior resources,
and a faster path from a suspicious URL to a confident response decision. Turn hidden browser
activity into clear response evidence. Reduce investigation delays and help your society act faster.
Accelerate response now about any. Run. Any run. A leading provider. A leading provider.
of interactive malware analysis and threat intelligence solutions,
helps society teams, MSPs, and enterprises investigate threats faster and make more
confident security decisions. Its cloud-based interactive sandbox lets teams safely analyze suspicious
files, URLs, and emails in real-time, observe malicious behavior as it unfolds,
and collect clear evidence for faster response. Any runs threat intelligence solutions
add broader context around threats, infrastructure, and attacker activity. Together, these capabilities
support faster triage, stronger detection, better informed response decisions, and more efficient
security operations at scale. Thank you for listening to this Hackernoon story, read by artificial
intelligence. Visit hackernoon.com to read, write, learn and publish.
