Cybersecurity

Sneaky 2fa Phishing Kit Adds Bitb Pop-ups Designed To Mimic The...

2025-11-18 0 views admin
Sneaky 2fa Phishing Kit Adds Bitb Pop-ups Designed To Mimic The...

The malware authors associated with a Phishing-as-a-Service (PhaaS) kit known as Sneaky 2FA have incorporated Browser-in-the-Browser (BitB) functionality into their arsenal, underscoring the continued evolution of such offerings and further making it easier for less-skilled threat actors to mount attacks at scale.

Push Security, in a report shared with The Hacker News, said it observed the use of the technique in phishing attacks designed to steal victims' Microsoft account credentials.

BitB was first documented by security researcher mr.d0x in March 2022, detailing how it's possible to leverage a combination of HTML and CSS code to create fake browser windows that can masquerade as login pages for legitimate services in order to facilitate credential theft.

"BitB is principally designed to mask suspicious phishing URLs by simulating a pretty normal function of in-browser authentication – a pop-up login form," Push Security said. "BitB phishing pages replicate the design of a pop-up window with an iframe pointing to a malicious server."

To complete the deception, the pop-up browser window shows a legitimate Microsoft login URL, giving the victim the impression that they are entering the credentials on a legitimate page, when, in reality, it's a phishing page.

In one attack chain observed by the company, users who land on a suspicious URL ("previewdoc[.]us") are served a Cloudflare Turnstile check. Only after the user passes the bot protection check does the attack progress to the next stage, which involves displaying a page with a "Sign in with Microsoft" button in order to view a PDF document.

Once the button is clicked, a phishing page masquerading as a Microsoft login form is loaded in an embedded browser using the BitB technique, ultimately exfiltrating the entered information and session details to the attacker, who can then use them to take over the victim's account.

Besides using bot protection technologies like CAPTCHA and Cloudflare Turnstile to prevent security tools from accessing the phishing pages, the attackers leverage conditional loading techniques to ensure that only the intended targets can access them, while filtering out the rest or redirecting them to benign sites instead.

Sneaky 2FA, first highlighted by Sekoia earlier this year, is known to adopt various methods to resist analysis, including using obfuscation and disabling browser developer tools to prevent attempts to inspect the web pages. In addition, the phishing domains

Source: The Hacker News

🏷️ Tags

securityhackmalwareattackthreat

More from Cybersecurity

Hackers Claim To Hack Resecurity, Firm Says It Was A Honeypot

Hackers Claim To Hack Resecurity, Firm Says It Was A Honeypot

2026-01-03 0
Covenant Health Says May Data Breach Impacted Nearly 478,000 Patients

Covenant Health Says May Data Breach Impacted Nearly 478,000 Patients

2026-01-02 0
Cryptocurrency Theft Attacks Traced To 2022 Lastpass Breach 2026

Cryptocurrency Theft Attacks Traced To 2022 Lastpass Breach 2026

2026-01-02 0
Over 10k Fortinet Firewalls Exposed To Actively Exploited 2fa Bypass

Over 10k Fortinet Firewalls Exposed To Actively Exploited 2fa Bypass

2026-01-02 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views