480/68 Friday, November 21, 2025
A recent report from Push Security reveals that the Phishing-as-a-Service (PhaaS) toolkit known as Sneaky2FA has enhanced its capabilities by integrating Browser-in-the-Browser (BitB) techniques. This upgrade allows attackers to steal Microsoft 365 login credentials and session tokens with a high degree of realism. The BitB method enables the toolkit to generate fake login windows that automatically mimic the victim’s operating system and browser – such as Edge on Windows or Safari on macOS – making the phishing attempt extremely convincing. As a result, attackers can bypass two-factor or multi-factor authentication (2FA/MFA) even when users have these protections enabled.
The attack typically begins by luring victims to click a link to view a document (e.g., hosted on previewdoc[.]com). When victims click “Sign in with Microsoft”, a fake pop-up window is displayed, created using an overlaid iframe. This pop-up replicates the OAuth login experience, including a forged URL bar that looks identical to Microsoft’s legitimate domain. Behind the scenes, Sneaky2FA still relies on an Attacker-in-the-Middle (AiTM) or reverse proxy setup, passing the victim’s real login request to Microsoft’s servers. This allows attackers to capture both the password and valid session tokens simultaneously, giving them full access to the victim’s account.
Researchers also found that Sneaky2FA uses sophisticated code obfuscation to evade security scanners and includes filtering mechanisms designed to redirect bots or security researchers to benign pages rather than the phishing content.
Users can defend themselves by checking for abnormal behavior: try dragging the login pop-up window outside the main browser frame. If the window cannot be separated into an independent window or does not show up as a standalone icon on the taskbar, it is likely a fake BitB window.
Other PhaaS operators – including Raccoon0365/Storm-2246 – have adopted BitB techniques in the past, though Microsoft and Cloudflare have since implemented countermeasures against those campaigns. Given the rising sophistication of PhaaS platforms, users and organizations are advised to increase vigilance and strengthen security protocols against such advanced phishing threats.
