Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings.
A new EvilTokens attack shows how modern phishing can hide critical evidence from enterprise SOCs until the page runs inside the browser.
The case highlights a growing visibility gap in phishing triage: suspicious URLs may appear incomplete at first, while the real account takeover flow is revealed only after execution. For security leaders, that gap can mean slower investigations, delayed response, and higher business risk.
EvilTokens Continues to Target Enterprise Organizations
According to recent ANY.RUN Threat Intelligence data, EvilTokens activity remains concentrated in the United States and Europe, targeting organizations that rely heavily on Microsoft 365 for daily operations.
Recent campaigns have affected industries including:
- Banking
- Technology
- Education
- Manufacturing
- Financial services
- Managed security services
For these organizations, the compromise of a single Microsoft 365 account can expose sensitive business communications, cloud resources, and connected enterprise services. As attacks increasingly rely on hidden browser-side behavior, quickly validating phishing threats becomes critical for limiting business impact.
Why This Creates Pressure on SOC Teams
The challenge for SOC teams is speed. When a phishing page hides key evidence until browser execution, analysts cannot rely on the first URL check alone to make a confident decision.
That delay can increase Tier 1 workload, push more cases to senior analysts, and slow containment when account access is at risk. For enterprise teams handling high alert volumes, even small gaps in visibility can quickly turn into higher response costs.
How EvilTokens Hides Account Takeover Activity
Unlike traditional phishing kits that immediately display a fake login page, EvilTokens abuses Microsoft’s legitimate Device Code authentication flow to gain access without stealing credentials directly.
In this attack, the phishing page is delivered as an AES-GCM encrypted payload and remains hidden until browser-side JavaScript decrypts and renders it. That means static URL analysis may capture only the encrypted response, while the real phishing page, user code, and OAuth workflow remain invisible until execution.
This is where browser-level visibility becomes essential. With in-browser data investigation in ANY.RUN’s Interactive Sandbox, security teams can observe the complete phishing workflow after execution, validate malicious behavior, and collect the evidence needed to respond with confidence.
| Reduce phishing investigation delays with full browser visibility, faster threat validation, and the context your SOC needs to act before business risk grows. Improve Phishing Resilience! |
In a recent EvilTokens analysis, the full attack chain became visible in about a minute. Analysts could immediately review the rendered phishing page, browser-generated HTTP requests, DOM changes, and OAuth device-code activity from a single investigation interface.
From One EvilTokens Case to Wider Campaign Visibility
A single EvilTokens attack can quickly point to broader phishing activity. In this analysis, the code exposed in the DOM triggered the Microsoft OAuth device-code phishing signature, giving analysts a starting point for wider investigation in ANY.RUN Threat Intelligence.
From there, teams can search for other analyses with the same signature, review related device-code phishing activity, and identify similar code patterns across campaigns beyond EvilTokens.
For security leaders, this turns one suspicious URL into broader campaign visibility, helping teams improve hunting, prioritize response, and strengthen detection before similar attacks reach more users.
How Full Browser Visibility Reduces SOC Risk
Full browser visibility helps security teams reduce the time and uncertainty between the first alert and the response decision.
With ANY.RUN’s in-browser data investigation, SOC teams can:
- Reduce exposure time by confirming malicious URL behavior earlier in the investigation.
- Lower analyst workload by cutting the manual effort needed to rebuild hidden phishing flows.
- Improve escalation quality by giving Tier 2 and IR teams clearer evidence from the start.
- Protect senior resources by helping Tier 1 analysts close or confirm more cases independently.
- Strengthen detection coverage by turning browser evidence and threat context into better hunting logic.
- Reduce business impact by acting before phishing activity turns into account compromise or wider incident response.
For security leaders, the value is not just faster analysis. It is a more efficient SOC, shorter response cycles, and less risk from phishing attacks that hide their behavior inside the browser.
Reduce Enterprise Risk with Faster Phishing Validation
As phishing attacks continue to rely on hidden browser behavior, the ability to validate threats quickly is becoming a competitive advantage for enterprise security teams.
By giving analysts full browser visibility from the start of an investigation, organizations can shorten response times, reduce unnecessary escalations, and limit the operational impact of phishing incidents. Teams using ANY.RUN report MTTD as low as 15 seconds and MTTR reduced by up to 21 minutes per case, helping SOCs move from uncertainty to action much faster.
Close the browser visibility gap: Give your SOC the evidence to validate phishing faster, reduce enterprise risk, and respond before suspicious URLs become costly incidents.
