A new phishing campaign is leveraging advanced techniques to steal credentials from unsuspecting users. The Phishing-as-a-Service (PhaaS) kit called Sneaky 2FA has integrated Browser-in-the-Browser (BitB) functionality, making it easier for less experienced attackers to perform large-scale credential theft operations.
How BitB Works
Security researchers at Push Security reported that the technique is being used to target Microsoft accounts. First described by researcher mr.d0x in March 2022, BitB relies on HTML and CSS to create fake browser windows that resemble legitimate login pages.
The fake windows display a legitimate URL, giving users the impression they are signing into a trusted site while their credentials are actually captured by attackers. BitB pages often replicate pop-up login designs using iframes pointing to malicious servers.
Attack Chain Observed
In one observed attack, users who visit a suspicious URL, such as “previewdoc[.]us”, are first presented with a Cloudflare Turnstile bot check. Once cleared, the user is shown a “Sign in with Microsoft” button to view a PDF. Clicking the button opens a BitB phishing page that harvests login credentials and session data, allowing attackers to take control of the account.
The attackers also use conditional loading and bot protection measures, ensuring that only targeted users can access the malicious pages. Others are either blocked or redirected to harmless sites.
Techniques to Avoid Detection
Sneaky 2FA uses multiple techniques to resist analysis. These include code obfuscation, disabling developer tools, and rapidly rotating phishing domains. This allows attackers to evade detection and maintain operational efficiency.
Bypassing Passkey Authentication
Beyond standard phishing, researchers have shown that attackers can bypass WebAuthn-based passkey logins. Malicious browser extensions intercept calls such as navigator.credentials.create() and navigator.credentials.get() to generate attacker-controlled key pairs. The private key is stored locally and a copy sent to the attacker, allowing them to authenticate without the user’s device or biometrics.
Some phishing kits also use downgrade attacks to trick users into selecting less secure, phishable login methods instead of passkeys. This exposes even accounts with phishing-resistant authentication to compromise.
