The EvilTokens phishing kit utilizes browser-side AES-GCM decryption to conceal its malicious payload from static analysis tools. By abusing the Microsoft Device Code authentication flow, the kit tricks victims into authorizing attacker access to their Microsoft 365 accounts without directly harvesting credentials, creating a significant visibility gap for SOC teams.