New Phishing Tactics Use Fake Browser Pop-Ups to Steal Logins
Attackers using a Phishing-as-a-Service kit called Sneaky 2FA have added Browser-in-the-Browser (BitB) attacks to their tools. This method creates fake pop-up login windows that look real, helping criminals steal Microsoft account credentials. BitB works by copying the look of a normal login pop-up and showing what appears to be a legitimate URL, even though the page is fake.
In one example, victims visited a suspicious site, passed a bot check, and then clicked a “Sign in with Microsoft” button to view a fake PDF. A false Microsoft login window then appeared, stealing their login and session information.
Attackers also use CAPTCHAs, conditional loading, and fast-changing domains to hide from security systems. Sneaky 2FA further blocks code inspection and makes its phishing pages hard to analyze.
Researchers also found that malicious browser extensions can hijack the WebAuthn process, letting attackers fake passkey creation and login. This gives them access to accounts without needing the user’s device or biometrics. Attackers can also force users to choose weaker login options through downgrade attacks.
Staying Safe
- Be cautious with emails, links, and attachments from unknown senders.
- Check website addresses carefully before entering login information.
- Avoid installing browser extensions you don’t fully trust.
- Enable multi-factor authentication (MFA) wherever possible.
- Use passkeys when available and avoid weaker backup login options.
- Keep browsers and extensions updated.
- Organizations should apply conditional access rules to block risky logins.
Source: https://thehackernews.com/2025/11/sneaky-2fa-phishing-kit-adds-bitb-pop.html