EvilTokens Ghost Phishing Bypasses Microsoft 365 Security

A new "ghost phishing" campaign, attributed to the EvilTokens group, is actively bypassing traditional email security controls across the US and Europe. This attack targets businesses for Microsoft 365 account takeovers, exploiting a blind spot: malicious content remains encrypted until rendered in the victim's browser. The technique uses Microsoft Device Code Phishing, allowing attackers to gain unauthorized access without directly stealing credentials.

Wiz security researchers have uncovered GhostApproval, a vulnerability pattern impacting six AI coding assistants. This flaw, which involves classic symbolic link following (CWE-61) and user interface misrepresentation (CWE-451), allows malicious repositories to trick agents into accessing or writing to files outside their intended workspace. The potential outcomes include remote code execution on developers' machines and sensitive credential exfiltration.

Microsoft has deployed security updates for Microsoft Defender to address CVE-2026-50656, dubbed "RoguePlanet." This privilege escalation vulnerability, discovered by researcher Chaotic Eclipse, impacts the Microsoft Malware Protection Engine and could grant SYSTEM-level privileges on compromised Windows systems. The combined threats show the need for advanced detection capabilities and thorough vulnerability management across an organization's systems.

How does EvilTokens execute Ghost Phishing attacks against Microsoft 365?

The EvilTokens campaign employs a "ghost phishing" technique that conceals its malicious payload until the email content is decrypted and rendered within a victim's browser. Initially, security checks, such as static URL analysis or network-level controls, perceive the inbound email and its embedded links as benign. This evasion is achieved by encrypting the phishing page's HTML with AES-GCM, which only becomes visible and active in the Document Object Model (DOM) after browser-side decryption.

Once activated in the browser, the attack pivots to Microsoft Device Code Phishing. This method persuades victims to complete a legitimate Microsoft login flow, inadvertently authorizing the attacker's access to their Microsoft 365 accounts. Unlike traditional phishing, the technique bypasses direct theft of user passwords, using instead the device code authentication mechanism to establish a persistent foothold. This enables unauthorized access to corporate email, files, and cloud services.

The campaign has demonstrated wide reach, impacting specific business sectors across the US and Europe. Data from ANY.RUN's Threat Intelligence indicates high exposure rates: 75.6% in consulting, 72.8% in financial services, 71.9% in manufacturing, 67.9% in technology, 66.7% in banking, and 66.1% among Managed Security Service Providers (MSSPs). The delay in detecting these hidden attacks extends the exposure window, complicates incident response, and increases potential operational costs from account takeovers.

What is the GhostApproval vulnerability affecting AI coding assistants?

The GhostApproval vulnerability pattern, identified by Wiz researchers, shows a trust boundary gap in modern AI coding assistants. This flaw, affecting six products (Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf), allows malicious repositories to manipulate developer environments through symbolic links. The core of the attack combines symbolic link following (CWE-61) with user interface misrepresentation (CWE-451).

Attackers construct a repository where a seemingly innocuous file, such as project_settings.json, is actually a symbolic link to a sensitive system file like ~/.ssh/authorized_keys or ~/.zshrc. When an AI assistant is instructed to update this "project settings" file, it blindly follows the symlink and writes to the external, sensitive target. This can lead to remote code execution (RCE) by injecting attacker-controlled SSH keys or persistent shell commands, granting the attacker unauthorized access to the developer's machine.

A main aspect of GhostApproval is the failure of the "Human-in-the-Loop" safety mechanism. In several instances, despite the AI agent internally recognizing the dangerous, out-of-workspace target, the user-facing confirmation prompt obscures this information. For example, Anthropic Claude Code's internal reasoning might note a symlink to a sensitive configuration file, yet the user is only prompted to approve an edit to project_settings.json. This informational asymmetry makes user consent functionally meaningless. Organizations using AI coding tools should prioritize understanding their security implications, especially with emerging threats to developer environments, as discussed in securing AI-built software.

The vendor responses to GhostApproval varied, with some quickly remediating the issue.

  • Amazon Q Developer exhibited pre-authorization write behavior, where the agent wrote to the filesystem before presenting an undo option. This was patched in language server version 1.69.0, with AWS assigning CVE-2026-12958 for this flaw.
  • Cursor addressed a vulnerability where its diff UI showed the symlink path, but the backend wrote to the resolved target. A fix was deployed in v3.0, and Cursor published CVE-2026-50549.
  • Google Antigravity also displayed the symlink path rather than the canonical path in its permission dialog, which was subsequently fixed by Google.
  • Augment and Windsurf demonstrated silent read and write operations via symlinks without user confirmation, indicating severe issues. While acknowledged, specific fixes or CVEs are pending from these vendors.
  • Anthropic Claude Code initially rejected the findings as "outside their threat model" but has since updated its versions to resolve symlinks and warn users before writing to sensitive files.

Did Microsoft patch the RoguePlanet Defender flaw?

Yes, Microsoft has released security updates addressing the RoguePlanet vulnerability, tracked as CVE-2026-50656, with a CVSS score of 7.8 (High severity). This privilege escalation flaw resides within the Microsoft Malware Protection Engine (mpengine.dll), the core component providing scanning, detection, and cleaning capabilities for Microsoft Defender and other antivirus products. The vulnerability was patched in Microsoft Malware Protection Engine version 1.1.26060.3008.

The RoguePlanet flaw was publicly disclosed by security researcher Chaotic Eclipse, also known as Nightmare-Eclipse. The researcher described it as a race condition that could be exploited to spawn a shell with SYSTEM-level privileges. Such an exploit allows an attacker to execute code with the highest possible permissions on a compromised Windows system, irrespective of whether real-time protection was active. While the disclosure came nearly a month before Microsoft's official patch, the company confirms that no customer action is required for the update, as the software updates automatically.

This is the fourth Microsoft Defender vulnerability publicly revealed by Chaotic Eclipse, following BlueHammer (CVE-2026-33825), UnDefend (CVE-2026-45498), and RedSun (CVE-2026-41091). All have received patches. The consistent identification of significant flaws in critical security software like Microsoft Defender shows the ongoing importance of vulnerability research and rapid patching cycles. Addressing privilege escalation is vital for endpoint security, a topic explored in strategies for mitigating privilege escalation.

Technical Takeaways

  • EvilTokens uses AES-GCM encryption and Microsoft Device Code Phishing to create "ghost phishing" attacks that bypass traditional email security and lead to Microsoft 365 account takeovers.
  • The GhostApproval vulnerability affects six AI coding assistants, enabling remote code execution or credential theft through symbolic link following (CWE-61) and user interface misrepresentation (CWE-451).
  • Microsoft has patched CVE-2026-50656 (RoguePlanet), a high-severity privilege escalation flaw in the Microsoft Malware Protection Engine (mpengine.dll), allowing SYSTEM-level access on vulnerable Windows systems.
  • Affected sectors for ghost phishing include consulting (75.6% exposure), financial services (72.8%), manufacturing (71.9%), technology (67.9%), banking (66.7%), and MSSPs (66.1%).
  • AI coding assistant vendors, including Amazon Q Developer (CVE-2026-12958) and Cursor (CVE-2026-50549), have released fixes for GhostApproval vulnerabilities.