- Phishing-as-a-Service (PhaaS) kit Sneaky 2FA now uses Browser-in-the-Browser (BitB) impersonation to steal Microsoft account credentials.
- BitB creates fake browser pop-ups that simulate legitimate login windows, masking phishing URLs and enhancing deception.
- Attackers use bot protection like Cloudflare Turnstile and conditional loading to restrict access to phishing pages and avoid detection.
- New browser extension attacks can hijack passkey-based logins by intercepting and forging authentication keys via JavaScript injection.
- Phishing kits also employ downgrade attacks to bypass phishing-resistant login methods such as passkeys by coercing victims to use weaker alternatives.
Malware authors behind the Phishing-as-a-Service (PhaaS) kit Sneaky 2FA have integrated Browser-in-the-Browser (BitB) technology into their phishing campaigns to capture Microsoft account credentials. This update was detailed in a report highlighting the new tactics used to enhance deception and scalability.
The BitB technique exploits HTML and CSS to create fake browser pop-ups that appear as genuine login windows but actually host embedded phishing pages. These windows display legitimate Microsoft URLs to trick victims into entering their credentials, facilitating data theft. According to Push Security, the method “masks suspicious phishing URLs by simulating a pretty normal function of in-browser authentication – a pop-up login form.”
One observed attack begins with a suspicious URL “previewdoc[.]us” that enforces bot protection using Cloudflare Turnstile. After passing the verification, users see a “Sign in with Microsoft” button to view a PDF. Clicking it opens a BitB-based phishing page where credentials and session data are harvested and sent to the attacker.
Sneaky 2FA uses obfuscation and disables developer tools to avoid analysis while quickly rotating phishing domains to limit detection. The attackers also employ conditional loading techniques to ensure only specific targets access phishing content, redirecting others to harmless sites.
Separately, researchers have uncovered attacks on passkey authentication that involve malicious browser extensions injecting JavaScript to manipulate the WebAuthn API. This passkey pwned attack generates attacker-controlled key pairs during registration and reuse them to sign authentication challenges, allowing unauthorized access to enterprise apps without needing the victim’s device or biometrics.
Furthermore, phishing kits like Tycoon carry out downgrade attacks by presenting victims with an option to use less secure login methods instead of passkeys, weakening the authentication protection. Push Security notes that the presence of weaker fallback options leaves accounts vulnerable despite passkey availability.
Users are advised to remain cautious when handling suspicious messages and browser extensions. Organizations can adopt conditional access policies to mitigate account takeover risks by blocking logins that fail to meet specific security criteria.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
