Sneaky2FA PhaaS Adopts Devastating Browser-in-the-Browser Attack

The Sneaky2FA phishing-as-a-service platform has integrated a sophisticated browser-in-the-browser attack method, significantly increasing the threat to Microsoft account credentials and active user sessions. This widely distributed toolkit, often mentioned alongside Tycoon2FA and Mamba2FA, primarily focuses on compromising Microsoft 365 accounts through advanced social engineering tactics.

Previously recognized for its SVG-based attacks and attacker-in-the-middle approaches, Sneaky2FA now employs BitB pop-ups that perfectly imitate legitimate Microsoft login interfaces. Security analysts at Push Security discovered that these deceptive windows automatically adapt their appearance to match the victim’s operating system and browser, creating a remarkably convincing facade. This enhancement allows threat actors to bypass two-factor authentication protections by capturing both login credentials and valid session tokens.

The browser-in-the-browser technique originally emerged from security research in 2022 and has since been weaponized by cybercriminals targeting various platforms including Facebook and Steam. During these attacks, users encounter what appears to be a standard browser pop-up window containing a login form. This clever deception uses an iframe template that mimics authentication interfaces from trusted services, complete with customizable URLs and window titles that display official domain addresses.

Victims typically reach these phishing pages through links directing to domains like ‘previewdoc[.]com’, where they first encounter a Cloudflare Turnstile bot verification before being prompted to sign in with Microsoft to access a document. Once users click the “Sign in with Microsoft” option, the fraudulent BitB window renders with astonishing accuracy, displaying a fake URL bar styled to match either Edge on Windows or Safari on macOS environments.

Behind this convincing visual layer, Sneaky2FA loads its reverse-proxy Microsoft phishing page, effectively leveraging the actual login process to harvest credentials and session tokens through its established AitM infrastructure. The BitB component serves as an additional deception layer that enhances the credibility of the entire attack sequence while maintaining the kit’s core credential-stealing capabilities.

The phishing kit incorporates sophisticated evasion techniques, including conditional loading that redirects security researchers and automated scanners to harmless pages. Push Security’s analysis reveals extensive obfuscation methods where HTML and JavaScript components are deliberately scrambled to avoid detection. These measures include inserting invisible tags to break up user interface text, encoding background and interface elements as images rather than text, and implementing other modifications invisible to human users but effective against automated scanning tools.

Security professionals recommend simple verification methods to identify fraudulent pop-ups. Authentic browser pop-ups can be dragged outside their parent window and appear as separate instances in the taskbar, whereas iframe-based fakes remain constrained within their original browser window. This behavioral difference provides a reliable way for users to distinguish legitimate authentication requests from sophisticated phishing attempts.

The adoption of BitB tactics isn’t limited to Sneaky2FA, with similar capabilities observed in the Raccoon0365/Storm-2246 PhaaS operation recently dismantled through coordinated efforts by Microsoft and Cloudflare. That campaign had successfully harvested thousands of Microsoft 365 credentials before its disruption, demonstrating the widespread threat posed by these evolving phishing methodologies.

(Source: Bleeping Computer)