Sneaky2FA Adds Browser‑in‑the‑Browser to Its Phishing Toolkit — Why Microsoft 365 Users Are at Heightened Risk

Sneaky2FA’s adoption of the browser‑in‑the‑browser (BitB) trick marks a meaningful escalation in phishing sophistication. The kit already automated real‑time MFA relay (AitM) and SVG‑based UI mimicry; BitB now gives attackers a near‑perfect cosmetic replica of the Microsoft sign‑in pop‑up that dynamically adapts to the victim’s OS and browser. The result: phishing pages that are harder for users and automated scanners to distinguish from legitimate OAuth flows, increasing the success rate of credential and session token theft against Microsoft 365 targets.

What the attack does and how it works

• Initial lure: Victims reach an attacker page (for example, a document preview link) that uses a benign bot check (Cloudflare Turnstile) as a credibility layer.
• BitB cosmetic layer: When the victim clicks “Sign in with Microsoft,” Sneaky2FA renders a fake pop‑up that visually includes a URL bar, title, and layout tuned to the visitor’s browser and OS so it looks like a native OAuth window.
• AitM proxying underneath: The BitB iframe hosts Sneaky2FA’s reverse proxy, which relays real Microsoft authentication flows to the attacker in real time. This captures credentials, one‑time codes, and active session tokens.
• Evasion tactics: The kit uses heavy obfuscation, conditional loading (sending bots to benign pages), DOM tricks, and anti‑analysis checks so static detection and research are less likely to flag the page.
• Outcome: The attacker receives either the authenticated session cookie or the completed authentication sequence, enabling immediate session takeover and downstream access to email, OneDrive, Teams, SharePoint, and linked systems.

Why this matters now

• Human checks are broken by fidelity: Pixel‑perfect UI and a convincing URL bar remove visual cues that users might otherwise use to detect fraud.
• Legacy MFA and TOTP are insufficient: Any MFA method that depends on user interaction (codes, pushes) can be relayed in real time by an AitM kit.
• Scale and accessibility: Sneaky2FA is a PhaaS product — turnkey and inexpensive — so operators with minimal skills can run large campaigns targeting high‑value identities.
• Evasion increases dwell time: Conditional loading and sandbox checks make automated takedowns and research slower, letting campaigns collect more credentials before detection.

Detection and mitigation — practical actions

• Short‑term (immediate):
  • Enforce phishing‑resistant authentication for all admin and high‑risk accounts: require FIDO2/WebAuthn hardware keys or platform authenticators with origin checks.
  • Tighten conditional access: require device posture, network location, and step‑up authentication for access to high‑impact apps and data.
  • Block the infrastructure: use URL reputation, gateway filtering, and Cloudflare/IDP integrations to block known phishing domains and preview pages.
  • User guidance: tell employees to treat any “paste this code” or “open sign in window” prompts as suspicious; show the drag‑out test for pop‑ups (legitimate windows appear as separate tasks).
• Medium‑term (weeks):
  • Harden SSO flows: enforce strict redirect URI allowlists, shorten token lifetimes, require authn_context for sensitive actions, and disable legacy OAuth grant types where unused.
  • Limit session persistence: reduce lifetime for refresh tokens and enforce re‑auth for sensitive operations (download, sharing, admin actions).
  • Block or throttle reverse‑proxy indicators: detect and block unusual proxying patterns, repeated token exchange attempts, or near‑real‑time credential relay behaviors via web gateway telemetry.
• Long‑term (strategic):
  • Migrate high‑risk users to phishing‑resistant MFA (hardware FIDO2 tokens with biometric requirement where feasible).
  • Integrate anti‑phishing into CI/CD and email flows: apply automated checks for preview‑style domains, sandbox suspicious attachments, and require publisher validation on embedded preview services.
  • Simulate and test: include BitB/AitM scenarios in phishing simulations and red‑team exercises so detection and user training match current attack realism.

Detection playbook snippets (quick wins)

• Alert on unusual web session patterns: identical credentials submitted from two different client IPs within seconds, or IPs immediately swapping from user’s country to a proxy cluster.
• Monitor for OAuth anomalies: repeated authorization code exchanges that result in different client IPs or suspicious redirect URIs.
• Flag renderer crashes or DOM‑manipulation patterns tied to document‑preview pages and Turnstile sequences.
• Hunt for credential reuse followed by lateral activity in Microsoft 365: new mailbox rules, mass forwarding, or unexpected role assignments.