Malware authors associated with the Phishing-as-a-Service (PhaaS) kit known as Sneaky 2FA have incorporated Browser-in-the-Browser (BitB) functionality into their arsenals, highlighting the continued evolution of such products, making it even easier for less-skilled attackers to launch large-scale attacks.
Push Security said in a report shared with The Hacker News that it observed the technique being used in phishing attacks aimed at stealing victims’ Microsoft account credentials.
BitB was first documented in March 2022 by security researcher mr.d0x, detailing how it utilizes a combination of HTML and CSS code to create a fake browser window that can masquerade as a legitimate service’s login page to facilitate credential theft.
“BitB is primarily designed to mask suspicious phishing URLs by simulating a very common feature of in-browser authentication: a pop-up login form,” Push Security said. “The BitB phishing page replicates the design of a pop-up window with an iframe pointing to a malicious server.”
To complete the deception, a pop-up browser window displays a legitimate Microsoft login URL, giving the victim the impression that they are entering their credentials on a legitimate page, when in fact it is a phishing page.
One attack chain the company observed provides a Cloudflare Turnstile check to users who visit a suspicious URL (“previewdoc(.)us”). The attack advances to the next stage only if the user passes the bot protection check. At this stage, you will see a page with a “Sign in with Microsoft” button to view the PDF document.
Once the button is clicked, a phishing page disguised as a Microsoft login form is loaded into the embedded browser using BitB technology, ultimately exposing the entered information and session details to the attacker, who can then use them to take over the victim’s account.
In addition to using bot protection technologies like CAPTCHA and Cloudflare Turnstile to prevent security tools from accessing phishing pages, attackers leverage conditional loading techniques to ensure only intended targets have access, while filtering out remaining targets or redirecting them to a secure site instead.
The sneaky 2FA, first brought to our attention by Sekoia earlier this year, is known to employ a variety of methods to thwart analysis, including the use of obfuscation and disabling browser developer tools that prevent attempts to inspect web pages. Additionally, phishing domains are quickly rotated to minimize detection.
“Threakers are continually innovating phishing techniques, especially in the context of the increasingly specialized PhaaS ecosystem,” Push Security said. “As identity-based attacks continue to be the leading cause of breaches, attackers are incentivized to improve and harden their phishing infrastructure.”
The disclosure comes on the back of research that found that malicious browser extensions can be used to spoof passkey registrations and logins, potentially allowing threat actors to access corporate apps without a user’s device or biometrics.
The attack, dubbed the “Passkey Pwned Attack,” takes advantage of the fact that there is no secure communication channel between the device and the service, and the browser acting as an intermediary can be manipulated by malicious scripts or extensions, effectively hijacking the authentication process.
When you register or authenticate with a website using a passkey, the website calls WebAuthn APIs such as navigator.credentials.create() and navigator.credentials.get() to communicate through your web browser. This attack manipulates these flows through JavaScript injection.
“The malicious extension intercepts the call before it reaches the authentication system and generates a unique key pair (including a private and public key) controlled by the attacker,” SquareX said. “The malicious extension stores an attacker-controlled private key locally, allowing it to be reused to sign future authentication challenges on the victim’s device without generating a new key.”
A copy of the private key is also sent to the attacker, allowing him to access corporate apps on his device. Similarly, during the login phase, a call to “navigator.credentials.get()” is intercepted by the extension and the challenge is signed using the attacker’s private key created during registration.
That’s not all. Threat actors are also finding ways to circumvent phishing-resistant authentication methods like passkeys through so-called downgrade attacks. In this attack, man-in-the-middle (AitM) phishing kits like Tycoon can ask victims to choose between phishable and less secure options in exchange for allowing the use of a passkey.
“So even if a phish-resistant login method exists, the existence of a less secure backup method means your account is still vulnerable to phishing attacks,” Push Security noted in July 2025.
As attackers continue to refine their tactics, it’s important for users to be wary before opening suspicious messages or installing extensions on their browsers. Organizations can also employ conditional access policies to prevent account takeover attacks by restricting logins that don’t meet certain conditions.
