{"id":21730,"date":"2026-06-23T11:46:56","date_gmt":"2026-06-23T11:46:56","guid":{"rendered":"https:\/\/any.run\/cybersecurity-blog\/?p=21730"},"modified":"2026-06-23T11:54:49","modified_gmt":"2026-06-23T11:54:49","slug":"eviltokens-ghost-code-analysis","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/eviltokens-ghost-code-analysis\/","title":{"rendered":"EvilTokens: How \u201cGhost\u201d Code Threatens US and European Businesses"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/any.run\/malware-trends\/eviltokens\/\" target=\"_blank\" rel=\"noreferrer noopener\">EvilTokens<\/a>&nbsp;can hide serious account takeover risk from your SOC&nbsp;through \u201cghost\u201d code that appears only after browser-side decryption.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">As a result, static URL analysis may miss the most important part of the attack, leaving teams with incomplete evidence, slower triage, and longer exposure to a potential Microsoft 365 compromise.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/any.run\/cybersecurity-blog\/in-browser-data-inspection\/\" target=\"_blank\" rel=\"noreferrer noopener\">Full browser-level inspection<\/a>&nbsp;closes this gap by revealing how the page behaves after execution in a dynamic environment. This gives teams the evidence they need to&nbsp;validate&nbsp;the&nbsp;threat&nbsp;and respond faster.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Key Takeaways&nbsp;<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>EvilTokens\u00a0hides key parts of its\u00a0phishing\u00a0flow behind browser-side decryption, creating a visibility gap for static URL analysis.\u00a0<\/li>\n\n\n\n<li>The kit abuses Microsoft\u2019s legitimate device login flow to gain account access without directly stealing the victim\u2019s password.\u00a0<\/li>\n\n\n\n<li>Browser-level evidence helps SOC teams reduce manual checks, avoid unnecessary escalations, and make faster containment decisions.\u00a0<\/li>\n\n\n\n<li><a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=eviltokens-ghost-code-analysis&amp;utm_term=230626&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat\u00a0Intelligence<\/a>\u00a0pivots connect one\u00a0EvilTokens\u00a0session to related\u00a0phishing\u00a0kits, infrastructure, indicators, and wider device-code\u00a0<a href=\"https:\/\/any.run\/phishing\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=eviltokens-ghost-code-analysis&amp;utm_term=230626&amp;utm_content=linktophishing\" target=\"_blank\" rel=\"noreferrer noopener\">phishing\u00a0activity<\/a>.\u00a0<\/li>\n\n\n\n<li>Decrypted code and\u00a0behavioral\u00a0patterns can also support stronger\u00a0phishing\u00a0signatures,\u00a0threat\u00a0hunting, and custom detection rules.\u00a0<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">EvilTokens&nbsp;Targeting: Regions and Industries at Risk&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">According to ANY.RUN&nbsp;Threat&nbsp;Intelligence data, recent&nbsp;EvilTokens&nbsp;activity is concentrated&nbsp;mainly in&nbsp;the United States and Europe.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=eviltokens-ghost-code-analysis&amp;utm_term=230626&amp;utm_content=linktotilookup#{%22query%22:%22threatName:%5C%22eviltokens%5C%22%22,%22dateRange%22:7}\" target=\"_blank\" rel=\"noreferrer noopener\">View recent EvilTokens activity in ANY.RUN&nbsp;Threat&nbsp;Intelligence<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/EvilTokens-1-1024x576.png\" alt=\"\" class=\"wp-image-21755\" style=\"width:762px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/EvilTokens-1-1024x576.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/EvilTokens-1-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/EvilTokens-1-768x432.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/EvilTokens-1-1536x864.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/EvilTokens-1-2048x1152.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/EvilTokens-1-370x208.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/EvilTokens-1-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/EvilTokens-1-740x416.png 740w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>EvilTokens targeting specific industries<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">The kit has been&nbsp;observed&nbsp;targeting organizations in:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Managed security services\u00a0<\/li>\n\n\n\n<li>Technology\u00a0<\/li>\n\n\n\n<li>Manufacturing\u00a0<\/li>\n\n\n\n<li>Education<\/li>\n\n\n\n<li>Banking<\/li>\n\n\n\n<li>Consulting and financial services\u00a0<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">These findings show that&nbsp;EvilTokens&nbsp;is aimed&nbsp;largely at&nbsp;organizations where access to a single Microsoft 365 account can expose sensitive data, internal communications, and connected business services.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Why&nbsp;EvilTokens&nbsp;Creates a Blind Spot for SOC Teams&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">EvilTokens&nbsp;continues to rank among the most&nbsp;frequently&nbsp;observed&nbsp;phishing&nbsp;kits in ANY.RUN\u2019s weekly&nbsp;threat&nbsp;reports.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A recent analysis session showed how the kit uses Microsoft Device Code&nbsp;Phishing&nbsp;to compromise accounts without stealing credentials directly. Instead, it convinces the victim to complete Microsoft\u2019s legitimate device login flow and unknowingly authorize access to their account.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/app.any.run\/tasks\/55d3ead7-c07a-4fb1-aa42-8c397d1a0f8a?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=eviltokens-ghost-code-analysis&amp;utm_term=230626&amp;utm_content=linktoservice](https:\/\/app.any.run\/tasks\/55d3ead7-c07a-4fb1-aa42-8c397d1a0f8a?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=eviltokens-ghost-code-analysis&amp;utm_term=230626&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Check analysis session with recent EvilTokens attack<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"570\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-11.08.07-1024x570.png\" alt=\"Recent EvilTokens attack analyzed inside ANY.RUN\u00a0sandbox\u00a0\" class=\"wp-image-21731\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-11.08.07-1024x570.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-11.08.07-300x167.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-11.08.07-768x427.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-11.08.07-1536x854.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-11.08.07-2048x1139.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-11.08.07-370x206.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-11.08.07-270x150.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-11.08.07-740x412.png 740w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Recent EvilTokens attack analyzed inside ANY.RUN\u00a0sandbox<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">What makes the attack difficult to investigate is the way it hides its&nbsp;phishing&nbsp;content. The landing page HTML is encrypted with AES-GCM and becomes visible only after the browser decrypts it and&nbsp;renders&nbsp;it in the DOM.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Static URL checks and network-level detection may therefore capture the initial response without showing what the victim actually sees in the browser. This can leave SOC teams with an incomplete verdict, force additional manual checks, trigger unnecessary escalations, and delay containment.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>This visibility gap becomes a business risk<\/strong>. When SOC teams cannot see what a suspicious page does after browser execution, the impact goes beyond a slower investigation. It can lead to:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Longer exposure<\/strong>\u00a0to potential Microsoft 365 account takeover\u00a0<\/li>\n\n\n\n<li><strong>Delayed containment<\/strong>\u00a0and response decisions\u00a0<\/li>\n\n\n\n<li><strong>More alerts escalated<\/strong>\u00a0to senior security staff\u00a0<\/li>\n\n\n\n<li><strong>Higher investigation workload<\/strong>\u00a0and operational costs\u00a0<\/li>\n\n\n\n<li><strong>Incomplete evidence<\/strong>\u00a0for blocking related infrastructure\u00a0<\/li>\n\n\n\n<li><strong>Greater risk of unauthorized access\u00a0<\/strong>to corporate data and services\u00a0<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">To&nbsp;validate&nbsp;the&nbsp;threat&nbsp;quickly, teams need visibility into what happens after the page begins running. In the following walkthrough, we use ANY.RUN\u2019s in-browser data inspection to uncover the decrypted page, trace the requests behind the device-code flow, and collect evidence for response and further detection.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nUncover phishing activity hidden inside the browser. &nbsp;\n<br>\n<span class=\"highlight\">Give your SOC the evidence to validate and respond faster.<\/span>\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=eviltokens-ghost-code-analysis&#038;utm_term=230626&#038;utm_content=linktoenterprise#contact-sales\" target=\"_blank\" rel=\"noopener\">\nContact us\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p class=\"wp-block-paragraph\">With in<strong>-browser data inspection inside ANY.RUN\u2019s <\/strong><a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=eviltokens-ghost-code-analysis&amp;utm_term=230626&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Interactive Sandbox<\/strong><\/a>, investigators can examine cases like this across several layers:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>HTML DOM Changes:<\/strong>&nbsp;Tracks changes to the DOM over time and allows investigators to compare different snapshots of the same page. It highlights byte-level differences from the&nbsp;previous&nbsp;DOM state, making it easier to&nbsp;identify&nbsp;the exact moment when the decrypted&nbsp;phishing&nbsp;page appears.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>HTTP Requests:<\/strong>&nbsp;Provides visibility into browser-level network activity, including requests involving HTML, JavaScript, Fetch\/XHR, scripts, static assets, binary files, archives, and other request categories.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>URL Details:<\/strong>&nbsp;Displays the final URL and domain, SSL certificate information, DNS A records, request statistics, and triggered detection signatures.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Indicators:<\/strong>&nbsp;Collects indicators of compromise associated with the page, including top-level domains, subdomains, URL endpoints, file hashes, IP addresses, and ASN information.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Triage Walkthrough Using Browser Data&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The network traffic shows that&nbsp;EvilTokens&nbsp;delivers the landing page in an HTTP response encrypted with AES-GCM:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"635\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img27-1024x635.jpg\" alt=\"\" class=\"wp-image-21732\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img27-1024x635.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img27-300x186.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img27-768x476.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img27-1536x952.jpg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img27-370x229.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img27-270x167.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img27-740x459.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img27.jpg 1716w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>EvilTokens HTTP response body\u00a0containing\u00a0the AES-GCM-encrypted landing page<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">The decrypted HTML DOM of the page can be viewed in the Browser Data panel:\u00a0<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"882\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/1-1-1024x882.png\" alt=\"\" class=\"wp-image-21733\" style=\"aspect-ratio:1.1610319236659206;width:506px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/1-1-1024x882.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/1-1-300x259.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/1-1-768x662.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/1-1-1536x1324.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/1-1-2048x1765.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/1-1-370x319.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/1-1-270x233.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/1-1-740x638.png 740w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>In-browser data investigation panel inside the interactive\u00a0sandbox<\/em>\u00a0<\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">Here, you can view snapshots of the DOM structure after the AES-GCM-encrypted code has been decrypted:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"423\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img38-1024x423.jpg\" alt=\"DOM snapshots displayed with decrypted code \" class=\"wp-image-21734\" style=\"aspect-ratio:2.42085828792723;width:656px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img38-1024x423.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img38-300x124.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img38-768x317.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img38-370x153.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img38-270x111.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img38-740x305.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img38.jpg 1352w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>DOM snapshots displayed with decrypted code<\/em>\u00a0<\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">The&nbsp;<strong>HTML DOM Changes<\/strong>&nbsp;fields&nbsp;contain&nbsp;the following information:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Timeshift:\u00a0<\/strong>The\u00a0time elapsed from the start of the analysis when the DOM snapshot was captured.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Score:\u00a0<\/strong>The risk level assigned to that\u00a0particular state\u00a0of the page. As shown in the screenshot, the score is 100, which corresponds to the signatures triggered by that DOM state.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Size diff:\u00a0<\/strong>The change in DOM size compared with the\u00a0previous\u00a0snapshot.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Size:\u00a0<\/strong>The size of the current DOM snapshot.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Page:\u00a0<\/strong>The domain associated with the snapshot.\u00a0<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The value that should draw&nbsp;your&nbsp;attention most is the green&nbsp;<strong>+48-byte size diff<\/strong>. By selecting the fourth snapshot,&nbsp;you&nbsp;can see which line was removed and which line was added compared with the&nbsp;previous&nbsp;snapshot:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"607\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img41-1024x607.jpg\" alt=\"\" class=\"wp-image-21735\" style=\"aspect-ratio:1.6870116421376344;width:772px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img41-1024x607.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img41-300x178.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img41-768x455.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img41-370x219.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img41-270x160.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img41-740x439.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img41.jpg 1110w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Check line changes to see the codes added and removed<\/em>\u00a0<\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">Looking at the\u00a0<strong>Render<\/strong>\u00a0panel on the left, we can confirm that a user code has appeared on the page. The attackers will later use this code to take over the victim\u2019s Microsoft 365 account:\u00a0<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"630\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img44-1024x630.jpg\" alt=\"\" class=\"wp-image-21736\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img44-1024x630.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img44-300x185.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img44-768x472.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img44-370x228.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img44-270x166.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img44-740x455.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img44.jpg 1408w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Render of\u00a0the page<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">This suggests that the landing page dynamically requested the user code from the backend\u00a0through a Fetch\/XHR request. The request can be examined in the\u00a0<strong>HTTP Requests<\/strong>\u00a0tab:\u00a0<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"160\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img45-1024x160.jpg\" alt=\"\" class=\"wp-image-21737\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img45-1024x160.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img45-300x47.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img45-768x120.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img45-1536x240.jpg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img45-370x58.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img45-270x42.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img45-740x116.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img45.jpg 1550w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>HTTP Requests panel inside the Browser Data\u00a0<\/em>\u00a0<\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">By comparing the <strong>Timeshift<\/strong> values of the HTTP request and the DOM snapshot, we can conclude that the user code was obtained through a request to the \/api\/device\/start endpoint. Clicking the URL confirms this:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"227\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/2-1-1024x227.png\" alt=\"\" class=\"wp-image-21738\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/2-1-1024x227.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/2-1-300x67.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/2-1-768x170.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/2-1-1536x340.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/2-1-2048x454.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/2-1-370x82.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/2-1-270x60.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/2-1-740x164.png 740w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>HTTP response from\u00a0EvilTokens<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\">Pivoting from One EvilTokens Session to Broader Threat Activity<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The findings from a single analysis session can be used to uncover related phishing infrastructure and activity.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Start with&nbsp;<strong>URL Details<\/strong>, where the code exposed in the DOM triggered the&nbsp;<strong>Microsoft OAuth device-code&nbsp;phishing&nbsp;<\/strong>signature.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"585\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/3-1-1024x585.png\" alt=\"\" class=\"wp-image-21739\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/3-1-1024x585.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/3-1-300x172.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/3-1-768x439.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/3-1-1536x878.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/3-1-2048x1171.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/3-1-370x212.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/3-1-270x154.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/3-1-740x423.png 740w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>URL details displayed inside ANY.RUN\u00a0sandbox<\/em>\u00a0<\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">Searching for this signature in ANY.RUN\u2019s&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=eviltokens-ghost-code-analysis&amp;utm_term=230626&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence<\/a>&nbsp;reveals other phishing resources that use similar code patterns:&nbsp;&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">TI Query:&nbsp;<a href=\"https:\/\/intelligence.any.run\/analysis\/lookup#{%22query%22:%22ruleName:%5C%22^Microsoft%20OAuth%20device-code%20phishing%20has%20been%20detected$%5C%22%22,%22dateRange%22:7}\" target=\"_blank\" rel=\"noreferrer noopener\">ruleName:&#8221;^Microsoft OAuth device-code phishing has been detected$&#8221;<\/a><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"416\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/4-1024x416.png\" alt=\"\" class=\"wp-image-21740\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/4-1024x416.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/4-300x122.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/4-768x312.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/4-1536x623.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/4-2048x831.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/4-370x150.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/4-270x110.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/4-740x300.png 740w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Search for analysis sessions that triggered the\u00a0\u201cMicrosoft OAuth device-code\u00a0phishing\u00a0has been detected\u201d\u00a0signature<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">The results show that this behavior is not unique to\u00a0EvilTokens.\u00a0Other\u00a0phishing\u00a0kits use similar code and techniques, allowing teams to move beyond one isolated case and identify a broader set of related\u00a0threats.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nExpand one investigation into broader threat context. \n &nbsp;\n<br>\n<span class=\"highlight\">Strengthen detection and stop related attacks before they spread.<\/span>\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=eviltokens-ghost-code-analysis&amp;utm_term=230626&amp;utm_content=linktoenterprise#contact-sales\" target=\"_blank\" rel=\"noopener\">\nImprove threat detection \n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p class=\"wp-block-paragraph\">\u00a0To narrow the search specifically to\u00a0EvilTokens, use the following query:\u00a0<a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=eviltokens-ghost-code-analysis&amp;utm_term=230626&amp;utm_content=linktotilookup#%7B%22query%22:%22threatName:%5C%22eviltokens%5C%22%22,%22dateRange%22:7%7D\" target=\"_blank\" rel=\"noreferrer noopener\">threatName:&#8221;eviltokens&#8221;<\/a>\u00a0<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Threat&nbsp;Intelligence data shows that recent&nbsp;EvilTokens&nbsp;activity is concentrated&nbsp;mainly in&nbsp;the United States and Europe:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"717\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/5-1024x717.png\" alt=\"\" class=\"wp-image-21741\" style=\"aspect-ratio:1.428191913288348;width:632px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/5-1024x717.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/5-300x210.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/5-768x538.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/5-1536x1075.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/5-2048x1434.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/5-370x259.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/5-270x189.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/5-740x518.png 740w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Threat\u00a0activity targeting specific regions<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">Teams can also track device code phishing activity more&nbsp;broadly using&nbsp;the&nbsp;oauth-ms-phish&nbsp;threat tag:&nbsp;&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">TI Query:&nbsp;<a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=eviltokens-ghost-code-analysis&amp;utm_term=230626&amp;utm_content=linktotilookup#{%22query%22:%22threatName:%5C%22oauth-ms-phish%5C%22%22,%22dateRange%22:7}\" target=\"_blank\" rel=\"noreferrer noopener\">threatName:&#8221;oauth-ms-phish&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"573\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img67-1024x573.jpg\" alt=\"\" class=\"wp-image-21742\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img67-1024x573.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img67-300x168.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img67-768x430.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img67-370x207.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img67-270x151.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img67-740x414.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img67.jpg 1094w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Indicators displayed for broader analysis<\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">This wider search helps teams identify related campaigns even when they are associated with a different phishing kit or infrastructure.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Next, return to&nbsp;<strong>Browser Data<\/strong>&nbsp;and open the&nbsp;<strong>Indicators<\/strong>&nbsp;tab:&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Not every artifact collected during the analysis should be added to detection rules. For example, the observed IP address belongs to the&nbsp;CloudflareNet&nbsp;autonomous system. Blocking or&nbsp;detecting&nbsp;this shared infrastructure could produce false positives and affect legitimate services.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">More specific indicators from the session, including the domain, URI, and hash, are stronger candidates for further validation and detection:&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">TI Query:&nbsp;<a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=eviltokens-ghost-code-analysis&amp;utm_term=230626&amp;utm_content=linktotilookup#{%22query%22:%22url:%5C%22\/api\/device\/start%5C%22%20or%20%20domainName:%5C%22emp01825.workers.dev$%5C%22%20or%20md5:%5C%22fcd1b654a0b3e8f85ca7cfdafe494d4b%5C%22%22,%22dateRange%22:7}\" target=\"_blank\" rel=\"noreferrer noopener\">url:&#8221;\/api\/device\/start&#8221;&nbsp;or&nbsp; domainName:&#8221;emp01825.workers.dev$&#8221; or md5:&#8221;fcd1b654a0b3e8f85ca7cfdafe494d4b&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"383\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img68-1024x383.jpg\" alt=\"\" class=\"wp-image-21743\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img68-1024x383.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img68-300x112.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img68-768x287.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img68-370x138.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img68-270x101.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img68-740x277.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img68.jpg 1252w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>ANY.RUN\u00a0Threat\u00a0Intelligence query using indicators extracted from in-browser data<\/em>\u00a0<\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">By&nbsp;pivoting on&nbsp;signatures,&nbsp;threat&nbsp;names, tags, and carefully selected&nbsp;IOCs, teams can connect an individual alert to wider&nbsp;phishing&nbsp;activity, improve detection coverage, and respond proactively to related attacks.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Breaking Down the&nbsp;EvilTokens&nbsp;Attack Logic&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The&nbsp;<strong>HTML DOM Changes<\/strong>&nbsp;view is useful not only for triage but also for deeper code analysis. By examining the decrypted page logic, teams can&nbsp;identify&nbsp;recurring patterns that may support low-level&nbsp;phishing&nbsp;detection rules.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The following code&nbsp;shows the&nbsp;<strong>Device Code Flow Configuration<\/strong>:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"910\" height=\"756\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img71.jpg\" alt=\"\" class=\"wp-image-21744\" style=\"aspect-ratio:1.2037078500738883;width:648px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img71.jpg 910w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img71-300x249.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img71-768x638.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img71-370x307.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img71-270x224.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img71-740x615.jpg 740w\" sizes=\"auto, (max-width: 910px) 100vw, 910px\" \/><figcaption class=\"wp-element-caption\">Device code flow configuration<\/figcaption><\/figure>\n<\/div>\n\n\n<h3 class=\"wp-block-heading\">Gate Check and Decoy Delivery&nbsp;<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The first fragment shows the client sending a gate check request to:&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\/api\/device\/gate\/&lt;PAGE_ID&gt;&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The backend returns a&nbsp;killed&nbsp;flag that&nbsp;determines&nbsp;what happens next. If the&nbsp;phishing&nbsp;flow&nbsp;remains&nbsp;active, the attack continues. Otherwise, the victim is&nbsp;shown&nbsp;a decoy page designed to resemble a Microsoft error or expired-link message.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"724\" height=\"502\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img74.jpg\" alt=\"\" class=\"wp-image-21745\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img74.jpg 724w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img74-300x208.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img74-370x257.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/img74-270x187.jpg 270w\" sizes=\"auto, (max-width: 724px) 100vw, 724px\" \/><figcaption class=\"wp-element-caption\"><em>EvilTokens\u00a0gate check logic<\/em>\u00a0<\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">This mechanism allows operators to disable the&nbsp;phishing&nbsp;page or hide its true behavior when certain visitors or conditions are detected.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Requesting and Displaying the User Code&nbsp;<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The next fragment sends a POST request to&nbsp;_startUrl:&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\/api\/device\/start&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The backend returns the&nbsp;userCode,&nbsp;sessionId, and verification URI. The script then stores the session, constructs&nbsp;_verificationUrl, and writes the user code into the DOM for the victim.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"1024\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/6-1024x1024.png\" alt=\"\" class=\"wp-image-21746\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/6-1024x1024.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/6-300x300.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/6-150x150.png 150w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/6-768x769.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/6-1536x1536.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/6-2046x2048.png 2046w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/6-70x70.png 70w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/6-370x370.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/6-270x270.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/6-740x741.png 740w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Code used to request the user code<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">This is the same activity&nbsp;observed&nbsp;earlier in the&nbsp;<strong>HTTP Requests<\/strong>&nbsp;view, connecting the browser-side code directly to the network request and the user code displayed on the page.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Monitoring the Device-Code Session&nbsp;<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The frontend then checks the status of the device-code session&nbsp;through:&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\/api\/device\/status\/{sessionId}&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">It repeatedly sends GET requests&nbsp;containing&nbsp;the current&nbsp;sessionId&nbsp;and receives the latest status from the backend.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Once the status changes to&nbsp;completed, the script stops polling, displays a success screen, and redirects the victim to the legitimate OneDrive website.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"637\" height=\"1024\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/7-2-637x1024.png\" alt=\"\" class=\"wp-image-21747\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/7-2-637x1024.png 637w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/7-2-187x300.png 187w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/7-2-768x1234.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/7-2-956x1536.png 956w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/7-2-1275x2048.png 1275w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/7-2-370x594.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/7-2-270x434.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/7-2-740x1189.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/7-2-scaled.png 1593w\" sizes=\"auto, (max-width: 637px) 100vw, 637px\" \/><figcaption class=\"wp-element-caption\"><em>Authorization status polling<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">This final redirect helps the attack appear successful and legitimate, while the attackers&nbsp;retain&nbsp;the access authorized&nbsp;through the completed Microsoft device login flow.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">By connecting the decrypted DOM code with browser requests and visible page changes, teams can reconstruct the full&nbsp;phishing&nbsp;logic and&nbsp;identify&nbsp;code patterns, endpoints, and behaviors that may strengthen future detection.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Turning Hidden Browser Activity into Faster SOC Decisions&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The&nbsp;EvilTokens&nbsp;investigation shows the practical value of browser-level evidence. Instead of stopping at the encrypted HTTP response, teams can see the decrypted DOM,&nbsp;identify&nbsp;the request that generated the user code, trace the device-code session, and extract artifacts for detection and&nbsp;threat&nbsp;hunting.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"425\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/soc_decisions_infographic-2-1024x425.png\" alt=\"\" class=\"wp-image-21748\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/soc_decisions_infographic-2-1024x425.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/soc_decisions_infographic-2-300x125.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/soc_decisions_infographic-2-768x319.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/soc_decisions_infographic-2-1536x637.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/soc_decisions_infographic-2-370x154.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/soc_decisions_infographic-2-270x112.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/soc_decisions_infographic-2-740x307.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/soc_decisions_infographic-2.png 1600w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Benefits of browser-level evidence<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">This improves the investigation workflow in several ways:&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Faster triage and fewer unnecessary escalations:<\/strong> Tier 1 analysts can validate suspicious URLs using direct browser-level evidence rather than relying on incomplete indicators. This reduces uncertainty, speeds up verdicts, and keeps more benign cases from reaching senior teams.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Smoother handoff and faster response:<\/strong>&nbsp;When escalation is necessary, Tier 2 receives the full attack context, including DOM changes, HTTP requests, triggered signatures, rendered content, and relevant indicators. This reduces repeated work and supports faster containment decisions.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Stronger detection engineering:<\/strong>&nbsp;Decrypted page code, browser requests, endpoints, and behavioral patterns provide useful material for custom&nbsp;phishing&nbsp;signatures, hunting hypotheses, and detection rules based on observed attacker behavior.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>More focused threat hunting:<\/strong>&nbsp;Teams can pivot from one&nbsp;EvilTokens&nbsp;session to related domains, code patterns,&nbsp;phishing&nbsp;kits, and device-code attacks in ANY.RUN\u2019s&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=eviltokens-ghost-code-analysis&amp;utm_term=230626&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence<\/a>, expanding the investigation beyond a single URL.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Clearer reporting:<\/strong> Structured investigation results turn complex browser activity into evidence that is easier to use during triage, escalation, incident response, and stakeholder communication.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For SOC and MSSP teams, this means less time spent reconstructing browser activity manually, better use of senior resources, and a faster path from a suspicious URL to a confident response decision.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nTurn hidden browser activity into clear response evidence. \n &nbsp;\n<br>\n<span class=\"highlight\">Reduce investigation delays and help your SOC act faster.<\/span>\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=eviltokens-ghost-code-analysis&amp;utm_term=230626&amp;utm_content=linktoenterprise#contact-sales\" target=\"_blank\" rel=\"noopener\">\nAccelerate response now  \n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">ANY.RUN, a leading provider of interactive malware analysis and&nbsp;threat&nbsp;intelligence solutions, helps SOC teams, MSSPs, and enterprises investigate&nbsp;threats faster and make more confident security decisions.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Its cloud-based&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=eviltokens-ghost-code-analysis&amp;utm_term=230626&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">Interactive&nbsp;Sandbox<\/a>&nbsp;lets teams safely analyze suspicious files, URLs, and emails in real time,&nbsp;observe&nbsp;malicious behavior as it unfolds, and collect&nbsp;clear evidence&nbsp;for faster response.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">ANY.RUN\u2019s&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=eviltokens-ghost-code-analysis&amp;utm_term=230626&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat&nbsp;Intelligence<\/a>&nbsp;solutions add broader context around&nbsp;threats, infrastructure, and attacker activity. Together, these capabilities support faster triage, stronger detection, better-informed response decisions, and more efficient security operations at scale.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>EvilTokens&nbsp;can hide serious account takeover risk from your SOC&nbsp;through \u201cghost\u201d code that appears only after browser-side decryption.&nbsp; As a result, static URL analysis may miss the most important part of the attack, leaving teams with incomplete evidence, slower triage, and longer exposure to a potential Microsoft 365 compromise.&nbsp; Full browser-level inspection&nbsp;closes this gap by revealing [&hellip;]<\/p>\n","protected":false},"author":12,"featured_media":21750,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[8],"tags":[57,10,34],"class_list":["post-21730","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.7 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>EvilTokens \u201cGhost\u201d Code Phishing Analysis<\/title>\n<meta name=\"description\" content=\"See how EvilTokens hides Microsoft 365 account takeover activity behind browser-side decryption and how in-browser data inspection reveals the full attack flow.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/eviltokens-ghost-code-analysis\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"GridGuardGhoul\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"13 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/eviltokens-ghost-code-analysis\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/eviltokens-ghost-code-analysis\\\/\"},\"author\":{\"name\":\"GridGuardGhoul\",\"@id\":\"https:\\\/\\\/any.run\\\/\"},\"headline\":\"EvilTokens: How \u201cGhost\u201d Code Threatens US and European Businesses\",\"datePublished\":\"2026-06-23T11:46:56+00:00\",\"dateModified\":\"2026-06-23T11:54:49+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/eviltokens-ghost-code-analysis\\\/\"},\"wordCount\":2329,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/any.run\\\/\"},\"image\":{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/eviltokens-ghost-code-analysis\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/EvilTokens-scaled.png\",\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/eviltokens-ghost-code-analysis\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/eviltokens-ghost-code-analysis\\\/\",\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/eviltokens-ghost-code-analysis\\\/\",\"name\":\"EvilTokens \u201cGhost\u201d Code Phishing Analysis\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/any.run\\\/\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/eviltokens-ghost-code-analysis\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/eviltokens-ghost-code-analysis\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/EvilTokens-scaled.png\",\"datePublished\":\"2026-06-23T11:46:56+00:00\",\"dateModified\":\"2026-06-23T11:54:49+00:00\",\"description\":\"See how EvilTokens hides Microsoft 365 account takeover activity behind browser-side decryption and how in-browser data inspection reveals the full attack flow.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/eviltokens-ghost-code-analysis\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/eviltokens-ghost-code-analysis\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/eviltokens-ghost-code-analysis\\\/#primaryimage\",\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/EvilTokens-scaled.png\",\"contentUrl\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/EvilTokens-scaled.png\",\"width\":2560,\"height\":1243,\"caption\":\"EvilTokens Threatens US and European Businesses\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/eviltokens-ghost-code-analysis\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/category\\\/malware-analysis\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"EvilTokens: How \u201cGhost\u201d Code Threatens US and European Businesses\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/any.run\\\/\",\"url\":\"https:\\\/\\\/any.run\\\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\\\/\\\/any.run\\\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/any.run\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/any.run\\\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\\\/\\\/any.run\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/any.run\\\/\",\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\\\/\\\/any.run\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/www.any.run\\\/\",\"https:\\\/\\\/x.com\\\/anyrun_app\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/30692044\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/any.run\\\/\",\"name\":\"GridGuardGhoul\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2026\\\/01\\\/image_GridGuardGhoul.jpeg\",\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2026\\\/01\\\/image_GridGuardGhoul.jpeg\",\"contentUrl\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2026\\\/01\\\/image_GridGuardGhoul.jpeg\",\"caption\":\"GridGuardGhoul\"},\"description\":\"I am a network security researcher and reverse engineer exploring malware, protocols, and exploits.\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"EvilTokens \u201cGhost\u201d Code Phishing Analysis","description":"See how EvilTokens hides Microsoft 365 account takeover activity behind browser-side decryption and how in-browser data inspection reveals the full attack flow.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/eviltokens-ghost-code-analysis\/","twitter_misc":{"Written by":"GridGuardGhoul","Est. reading time":"13 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/eviltokens-ghost-code-analysis\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/eviltokens-ghost-code-analysis\/"},"author":{"name":"GridGuardGhoul","@id":"https:\/\/any.run\/"},"headline":"EvilTokens: How \u201cGhost\u201d Code Threatens US and European Businesses","datePublished":"2026-06-23T11:46:56+00:00","dateModified":"2026-06-23T11:54:49+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/eviltokens-ghost-code-analysis\/"},"wordCount":2329,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"image":{"@id":"https:\/\/any.run\/cybersecurity-blog\/eviltokens-ghost-code-analysis\/#primaryimage"},"thumbnailUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/EvilTokens-scaled.png","keywords":["ANYRUN","cybersecurity","malware analysis"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/eviltokens-ghost-code-analysis\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/eviltokens-ghost-code-analysis\/","url":"https:\/\/any.run\/cybersecurity-blog\/eviltokens-ghost-code-analysis\/","name":"EvilTokens \u201cGhost\u201d Code Phishing Analysis","isPartOf":{"@id":"https:\/\/any.run\/"},"primaryImageOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/eviltokens-ghost-code-analysis\/#primaryimage"},"image":{"@id":"https:\/\/any.run\/cybersecurity-blog\/eviltokens-ghost-code-analysis\/#primaryimage"},"thumbnailUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/EvilTokens-scaled.png","datePublished":"2026-06-23T11:46:56+00:00","dateModified":"2026-06-23T11:54:49+00:00","description":"See how EvilTokens hides Microsoft 365 account takeover activity behind browser-side decryption and how in-browser data inspection reveals the full attack flow.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/eviltokens-ghost-code-analysis\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/eviltokens-ghost-code-analysis\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/cybersecurity-blog\/eviltokens-ghost-code-analysis\/#primaryimage","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/EvilTokens-scaled.png","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/EvilTokens-scaled.png","width":2560,"height":1243,"caption":"EvilTokens Threatens US and European Businesses"},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/eviltokens-ghost-code-analysis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"EvilTokens: How \u201cGhost\u201d Code Threatens US and European Businesses"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/x.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"GridGuardGhoul","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image_GridGuardGhoul.jpeg","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image_GridGuardGhoul.jpeg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image_GridGuardGhoul.jpeg","caption":"GridGuardGhoul"},"description":"I am a network security researcher and reverse engineer exploring malware, protocols, and exploits.","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/21730","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=21730"}],"version-history":[{"count":7,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/21730\/revisions"}],"predecessor-version":[{"id":21758,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/21730\/revisions\/21758"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/21750"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=21730"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=21730"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=21730"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}