A recent EvilTokens campaign targeting businesses across the US and Europe is exposing a new email security blind spot. This βghost phishingβ technique keeps the malicious page hidden until it decrypts and comes to life inside the victimβs browser.
For security leaders, the risk is clear: traditional URL checks may miss the attack while Microsoft 365 access, sensitive data, and response time
For years, account takeover (ATO) followed a predictable script. Attackers bought stolen credentials in bulk, ran them through automated tools, and waited for matches. Credential stuffing was cheap, scalable, and for defenders, relatively well understood.
That era is ending. Not because attackers gave up, but because the front door finally got harder to kick in.
Passkeys are now mainstream.
Software supply chain security was hard enough. Then AI joined the build pipeline.
For five years, "software supply chain security" meant one question: what's in your code? Which open-source packages, which versions, which transitive dependencies three layers deep that nobody chose on purpose?
SolarWinds, Log4Shell, and XZ Utils all taught the same lesson: the risk lives less in the code a