The digital arms race continues, with phishers now wielding sophisticated “Browser-in-the-Browser” (BitB) techniques to steal your Microsoft credentials, even if you’re using two-factor authentication (2FA). The culprit? A phishing-as-a-service (PhaaS) kit called Sneaky2FA, rapidly gaining notoriety for its innovative approach to deception.
Sneaky2FA isn’t new to the game. It’s already known for its SVG-based attacks and “attacker-in-the-middle” (AitM) tactics, as detailed in previous reports (see, for example, SVG-based attacks ). But the integration of BitB marks a significant escalation, blurring the lines between legitimate login prompts and cleverly crafted fakes.
Imagine clicking a link, perhaps in an email promising a crucial document. You’re redirected to a page that looks legitimate, maybe even passing a Cloudflare Turnstile bot check to lull you into a false sense of security.
Then comes the prompt: “Sign in with Microsoft to view this document.” Clicking this unleashes the BitB attack. A seemingly authentic Microsoft login window pops up, complete with a realistic URL bar displaying what appears to be a genuine Microsoft domain.
This isn’t your real browser window. It’s a meticulously crafted iframe, a visual doppelganger designed to fool even the most vigilant user. Inside this fake window, Sneaky2FA loads its reverse-proxy Microsoft phishing page, capturing your credentials and session tokens using its established AitM system. Two-factor authentication? Bypassed.
Drag-and-Drop Deception Detection
So, how can you tell the difference? Push Security, who first reported on this evolution of Sneaky2FA, offers a simple test: try to drag the pop-up window outside of your main browser window. A legitimate pop-up will detach and appear as a separate instance in your taskbar. The BitB fake, however, will remain tethered to its parent window, a dead giveaway.
Another clue is that a legitimate pop-up should appear as a separate browser instance in your operating system’s taskbar or dock.
Sneaky2FA’s creators aren’t just focused on visual trickery. They’re also employing sophisticated evasion techniques to bypass security tools. The HTML and JavaScript code is heavily obfuscated, making it difficult for scanners to identify and flag the phishing pages. According to Push Security, the pages are crafted with evasion in mind, and they’re unlikely to trigger warnings when visited.
Researchers explain that the phishing sites break up UI text with invisible tags, embed background and interface elements as encoded images instead of text, and make other changes that are invisible to the user, but make it hard for scanning tools to fingerprint the page.
Sneaky2FA isn’t the only PhaaS platform adopting BitB techniques. Raccoon0365/Storm-2246, another service known for targeting Microsoft 365 credentials, has also been seen using similar methods, although it was recently disrupted .
This suggests a growing trend among cybercriminals: leveraging increasingly sophisticated techniques to bypass traditional security measures and target user credentials. The message is clear: vigilance and a healthy dose of skepticism are more critical than ever in the fight against phishing.
The evolution of phishing kits like Sneaky2FA highlights the constant cat-and-mouse game between attackers and defenders. As security measures become more robust, attackers adapt, finding new and innovative ways to exploit human trust. This latest development serves as a stark reminder that security awareness training and critical thinking are essential components of any effective cybersecurity strategy.
