Back to Learning CenterSecurity

What is ghost phishing and can DMARC stop it?

By Samuel ChenardJuly 13, 20266 min read
What is ghost phishing and can DMARC stop it?

Ghost phishing is a technique where the malicious part of an email or web page stays encrypted until it is decrypted and assembled inside the victim's browser. Because the message that actually crosses the wire looks empty or harmless, email authentication and gateway scanners see nothing to block. Email authentication like DMARC can stop an attacker from spoofing your domain, but it cannot see a payload that only comes to life after delivery — so DMARC alone does not stop ghost phishing.

Quick Takeaways

  • Ghost phishing keeps its payload encrypted in transit and decrypts it in the browser, hiding it from static scanners.
  • SPF, DKIM, and DMARC check the message envelope and headers, not what JavaScript renders after the page loads.
  • A July 2026 wave paired ghost phishing with Microsoft device code phishing to capture account access without stealing a password.
  • DMARC still matters: it stops attackers from sending ghost-phishing lures from your own domain.
  • Layered defense — user training, MFA phishing resistance, and browser-side controls — is what closes the gap DMARC cannot.

What is ghost phishing?

Ghost phishing is a delivery trick, not a new type of scam. The end goal is the same as any phishing attack: steal credentials, session tokens, or account access. What changes is when the malicious content becomes visible.

In a traditional phishing email, the fake login page or malicious link is present in the message body, so a secure email gateway can inspect it. Ghost phishing splits the attack in two. The email or landing page ships only an encrypted blob plus a small script. Nothing in that blob is readable until the recipient's browser runs the script, decrypts the payload, and injects the finished phishing page into the page's DOM. To every automated check between the sender and the inbox, the message looks inert.

This is why the technique is called "ghost" — the attack is not in the file that gets scanned. It materializes only on the victim's screen.

How does the July 2026 ghost phishing wave work?

A campaign observed in late June and early July 2026, reported by ANY.RUN, shows the technique in production. The attackers delivered an HTML payload encrypted with AES-GCM. When the target opened it, browser-side JavaScript decrypted the content and rendered a convincing Microsoft sign-in experience directly in the DOM.

The lure then pushed victims through Microsoft device code phishing. Instead of harvesting a password on a fake form, the attacker starts a genuine Microsoft login flow and tricks the user into entering an attacker-supplied device code and approving it. The victim completes a legitimate Microsoft authentication — but the resulting access is authorized for the attacker's device. We break that flow down in our guide to OAuth device code login abuse.

According to ANY.RUN's 2026 sandbox data drawn from roughly 15,000 organizations, phishing exposure reached 66.1% among managed security service providers, placing MSPs and their clients among the most-targeted groups. Treat that figure as a signal about who attackers are aiming at, not a guarantee about any single environment.

Why don't SPF, DKIM, and DMARC catch ghost phishing?

Email authentication answers one question: is this message really from the domain it claims to be from? It does not judge what the message asks the reader to do.

  • SPF checks whether the sending server's IP is authorized for the envelope domain.
  • DKIM verifies that the headers and body were not altered in transit, using a cryptographic signature.
  • DMARC ties SPF and DKIM to the visible From address and lets a domain owner set a policy of none, quarantine, or reject.
All three inspect the message as it arrives. With ghost phishing, the message that arrives is an encrypted blob that passes signature and body checks cleanly because it is exactly what the sender intended to send. The dangerous content does not exist yet — it is generated later, in the browser, from data the scanner had no key to read. This is the same blind spot that lets ordinary phishing emails pass SPF and DKIM checks when the attacker sends from a domain they legitimately control.

Static URL checks and network-level filters hit the same wall: they can capture the initial encrypted response without ever seeing the phishing page the employee actually clicks.

What can DMARC actually stop?

DMARC's job is domain protection, and it does that job well. If an attacker tries to send a ghost-phishing lure that appears to come from your domain, an enforced DMARC policy (p=quarantine or p=reject) tells receiving servers to refuse or sideline it. That removes your brand as a trusted delivery vehicle and is exactly why enforcement matters.

What DMARC cannot do is inspect a message sent from a domain the attacker owns, or control what happens after a user clicks. It is a sender-identity control, not a content scanner or an endpoint defense. Ghost phishing exploits the gap between "this email is authentic" and "this email is safe." Closing that gap takes more than DNS records — but authentication is still the foundation everything else builds on. Check where your domain stands with the Email Security Score tool, and confirm your policy with the DMARC checker.

How do you defend against ghost phishing?

Because the payload appears only in the browser, defense has to extend past the mail gateway to the user and the endpoint.

  • Enforce DMARC so your own domain cannot be used as the lure. Move from p=none to p=quarantine or p=reject once your legitimate senders are aligned.
  • Deploy phishing-resistant MFA such as FIDO2 or passkeys. Device code phishing thrives on approval-based factors; hardware-bound credentials break it.
  • Restrict device code flow in Microsoft Entra ID conditional access if your organization does not need it, so an approved code cannot grant access from an unexpected location.
  • Train users on the device code pattern. No legitimate service asks you to enter a code you did not request into a Microsoft prompt.
  • Watch for lookalike domains and email spoofing attempts that seed these campaigns.
For MSPs, Palisade automates the authentication layer — getting client domains to DMARC enforcement and keeping them there — so your team can focus attention on the endpoint and identity controls that catch what authentication cannot. Start with a free Email Security Score to see which client domains are still exploitable.

Frequently asked questions

Is ghost phishing a new kind of malware? No. It is a delivery and evasion technique. The end payload is usually a credential- or token-theft phishing page, not a virus.

Does a secure email gateway stop it? Not reliably on its own. Gateways inspect the delivered message; ghost phishing keeps the malicious content encrypted until it renders in the browser, after the gateway has passed it.

If DMARC can't stop it, is DMARC still worth it? Yes. DMARC prevents attackers from launching these lures from your domain, which protects your brand and your customers, and it is required by major mailbox providers for bulk senders.

How is this different from a browser-in-the-browser attack? Both hide malicious intent inside the rendered page, but ghost phishing focuses on decrypting the payload client-side to evade scanning, while browser-in-the-browser fakes a popup window to imitate a real login prompt.

Share this article

Samuel Chenard

Written by

Samuel Chenard

CEO & Co-Founder, Palisade

Samuel Chenard is the CEO and co-founder of Palisade, the DMARC automation platform for MSPs. He writes Palisade's guides on DMARC, SPF, DKIM and email deliverability.

More from Samuel

Related articles