Phishing, BEC, DMARC and inbox threats — pulled every two hours from 6 trusted sources, filtered down to what matters.
This week in email security
AI briefing · 2026-07-02
EvilTokens MFA-bypass phishing kit drives industry reckoning on detection gaps
EvilTokens and affiliated ARToken platform represent a coordinated MFA-bypass and BEC-as-a-service threat actively compromising Microsoft 365 tenants with evasion techniques that hide takeover indicators until browser execution.
SOC visibility gaps are the core weakness EvilTokens exploits: account compromise signals remain invisible until malware executes in the browser, requiring defenders to shift from credential-focused monitoring to behavioral and post-authentication anomaly detection.
Alternative authentication methods and device-code phishing bypass traditional credential-based defenses, pushing organizations beyond email gateway filters toward identity-layer controls, MFA validation, and threat intelligence enrichment tools.
Ransomware syndicates like Black Basta increasingly pair advanced phishing tradecraft with corporate-style operational discipline, making phishing success a direct precursor to major data breaches and extortion demands rather than a standalone risk.
EvilTokens device-code phishing kit bypasses MFA and authenticates to Microsoft 365 as victims. Cisco Talos revealed new evasion techniques and capabilities, highlighting the threat's sophistication to email security professionals managing organizational defense.
A webinar discussing how modern phishing, BEC, and account takeover attacks bypass traditional email security by exploiting trusted identities and workflows. The presentation covers behavioral AI solutions for automated detection and response.
Criminal IP integration enriches OpenCTI threat indicators with risk scoring, infrastructure intelligence, and phishing analysis to improve threat intelligence context and usability for security teams.
Researchers discovered ARToken, a business email compromise-as-a-service platform affiliated with EvilTokens phishing operation. The toolkit is designed to bypass MFA and compromise Microsoft 365 accounts, representing an advanced threat targeting organizations.
A phishing campaign targeting MetaMask cryptocurrency wallet users was detected. The attack uses alternative authentication methods instead of traditional credential theft, demonstrating evolving phishing tactics that security professionals should recognize.
EvilTokens is a phishing attack that hides account takeover indicators until browser execution, leaving SOCs with limited visibility. Enterprise teams need enhanced monitoring to validate threats faster and reduce account compromise risk.
Black Basta ransomware syndicate operates like a sophisticated corporation, using advanced phishing and malware campaigns to target victims. The group's leaked internal communications reveal their evolution into organized extortion operations, relevant to understanding modern ransomware delivery mechanisms.
A Canadian health board conducted a phishing awareness test on staff using a fake vacation day offer, which sparked backlash for its inappropriate theme. The organization apologized for the social engineering exercise designed to test employee security awareness.
An exposed server revealed the Bissa Scanner platform, used for large-scale exploitation and credential harvesting across multiple victims. The operators leveraged AI tools like Claude Code and OpenAI to automate and refine their malicious collection pipeline, demonstrating sophisticated attack infrastructure.