Sneaky 2FA Phishing Kit Adds BitB Pop-ups Designed to Mimic the Browser Address Bar - The Hacker News

Sneaky 2FA Phishing Kit Adds BitB Pop-ups Designed to Mimic the Browser Address Bar Ravie LakshmananNov 18, 2025Browser Security / Cybercrime The malware authors associated with a Phishing-as-a-Service (PhaaS) kit known as Sneaky 2FA have incorporated Browser-in-the-Browser (BitB) functionality into their arsenal, underscoring the continued evolution of such offerings and further making it easier for less-skilled threat actors to mount attacks at scale. Push Security, in a report shared with The Hacker News, said it observed the use of the technique in phishing attacks designed to steal victims' Microsoft account credentials. BitB was first documented by security researcher mr.d0x in March 2022, detailing how it's possible to leverage a combination of HTML and CSS code to create fake browser windows that can masquerade as login pages for legitimate services in order to facilitate credential theft. "BitB is principally designed to mask suspicious phishing URLs by simulating a pretty normal function of in-browser authentication – a pop-up login form," Push Security said. "BitB phishing pages replicate the design of a pop-up window with an iframe pointing to a malicious server." To complete the deception, the pop-up browser window shows a legitimate Microsoft login URL, giving the victim the impression that they are entering the credentials on a legitimate page, when, in reality, it's a phishing page. In one attack chain observed by the company, users who land on a suspicious URL ("previewdoc[.]us") are served a Cloudflare Turnstile check. Only after the user passes the bot protection check does the attack progress to the next stage, which involves displaying a page with a "Sign in with Microsoft" button in order to view a PDF document. Once the button is clicked, a phishing page masquerading as a Microsoft login form is loaded in an embedded browser using the BitB technique, ultimately exfiltrating the entered information and session details to the attacker, who can then use them to take over the victim's account. Besides using bot protection technologies like CAPTCHA and Cloudflare Turnstile to prevent security tools from accessing the phishing pages, the attackers leverage conditional loading techniques to ensure that only the intended targets can access them, while filtering out the rest or redirecting them to benign sites instead. Sneaky 2FA, first highlighted by Sekoia earlier this year, is known to adopt various methods to resist analysis, including using obfuscation and disabling browser developer tools to prevent attempts to inspect the web pages. In addition, the phishing domains are quickly rotated to minimize detection. "Attackers are continuously innovating their phishing techniques, particularly in the context of an increasingly professionalized PhaaS ecosystem," Push Security said. "With identity-based attacks continuing to be the leading cause of breaches, attackers are incentivized to refine and enhance their phishing infrastructure." Bypassing Passkey Login via WebAuthn Process Manipulation The disclosure comes against the backdrop of research that found that it's possible to employ a malicious browser extension to fake passkey registration and logins, thereby allowing threat actors to access enterprise apps without the user's device or biometrics. The Passkey Pwned Attack, as it's called, takes advantage of the fact that there is no secure communication channel between a device and the service and that the browser, which serves as the intermediary, can be manipulated by means of a rogue script or extension, effectively hijacking the authentication process. When registering or authenticating on websites using passkeys, the website communicates via the web browser by invoking WebAuthn APIs such as navigator.credentials.create() and navigator.credentials.get(). The attack manipulates these flows through JavaScript injection. "The malicious extension intercepts the call before it reaches the authenticator and generates its own attacker-controlled key pair, which includes a private key and a public key," SquareX said. "The malicious extension stores the attacker-controlled private key locally so it can reuse it to sign future authentication challenges on the victim's device without generating a new key." A copy of the private key is also transmitted to the attacker to permit them to access enterprise apps on their own device. Similarly, during the login phase, the call to "navigator.credentials.get()" is intercepted by the extension to sign the challenge with the attacker's private key created during registration. That's not all. Threat actors have also found a way to sidestep phishing-resistant authentication methods like passkeys by means of what's known as a downgrade attack, where adversary-in-the-middle (AitM) phishing kits like Tycoon can ask the victim to choose between a less secure option that's phishable instead of allowing them to use a passkey. "So, you have a situation where even if a phishing-resistant login method exists, the presence of a less secure backup method means the account is still vulnerable to phishing attacks," Push Security noted back in July 2025. As attackers continue to hone their tactics, it's essential that users exercise vigilance before opening suspicious messages or installing extensions on the browser. Organizations can also adopt conditional access policies to prevent account takeover attacks by restricting logins that don't meet certain criteria. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Authentication, Bot Protection, browser security, Cybercrime, cybersecurity, identity theft, Malware, Microsoft, Phishing, web security Trending News Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware Load More ▼ Popular Resources 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps Identity Controls Checklist: Find Missing Protections in Apps Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths