July 13, 2026
By esentry Team

Ghost Phishing: A New Technique Evading Email Security Controls

A new phishing technique has been identified, dubbed Ghost Phishing, that enables attackers to bypass traditional email security solutions by concealing malicious content until a victim opens a phishing link in their web browser. Unlike conventional phishing campaigns, which often rely on fake login pages that can be detected by email security tools, Ghost Phishing uses encrypted web content that only becomes visible when rendered by the victim's browser.

This technique has been observed targeting Microsoft 365 users by abusing the Device Code authentication flow, a legitimate Microsoft feature designed to securely authenticate devices that have limited input capabilities, such as smart TVs and conference room systems.

Technical Details

The attack begins with a phishing email containing what appears to be a legitimate link. When email security gateways or URL scanners inspect the link, they encounter only encrypted or benign-looking content, allowing the email to pass security checks.

The malicious webpage is encrypted using AES-GCM (Advanced Encryption Standard – Galois/Counter Mode), a widely used encryption method that protects data from being read without the correct key. Instead of exposing the phishing page immediately, the encrypted content is only decrypted within the victim's web browser using embedded JavaScript.

Once the browser processes the page, the hidden phishing content is reconstructed in the Document Object Model (DOM)—the browser's internal representation of a webpage after it has been loaded. Since many security solutions analyze only the initial webpage rather than its dynamically generated content, the phishing page remains undetected until the user interacts with it.

Victims are then prompted to complete a legitimate Microsoft Device Code login. Rather than stealing usernames and passwords, the attackers trick users into authorizing the attacker's session, allowing them to access the victim's Microsoft 365 account using valid authentication tokens.

Potential Impact

If successful, Ghost Phishing can enable attackers to:

  • Gain unauthorized access to Microsoft 365 accounts without stealing passwords.
  • Access corporate email, cloud storage, and collaboration platforms.
  • Bypass multi-factor authentication (MFA) by abusing Microsoft's legitimate authentication process.
  • Conduct business email compromise (BEC), data theft, or further attacks using the compromised account.

Because the authentication occurs through Microsoft's genuine login infrastructure, victims may have little indication that they are authorizing an attacker rather than signing into their own session.

Recommendations

Organizations should adopt layered defenses to reduce the risk posed by advanced phishing techniques such as Ghost Phishing:

  • Restrict or monitor Microsoft Device Code authentication where it is not required by business operations.
  • Implement Conditional Access policies to limit risky authentication methods and require additional verification based on user, device, or location.
  • Deploy browser-based phishing protection capable of analyzing webpages after they have been rendered, rather than relying solely on email scanning.
  • Continuously monitor Microsoft 365 sign-in logs for suspicious Device Code authentication events and anomalous user activity.

Ghost Phishing demonstrates how attackers are evolving beyond traditional phishing techniques by exploiting legitimate authentication workflows and browser-based content rendering. As phishing campaigns become more sophisticated, organizations should complement email security with identity monitoring, browser security, and user awareness to better detect and prevent account compromise.