A sophisticated Browser-in-the-Browser phishing attack is targeting Microsoft 365 users, leveraging highly realistic fake login popups to steal credentials and session tokens.
The attack, uncovered by Unit 42 threat researchers, represents a new level of social engineering—where attackers replicate trusted authentication flows so convincingly that even experienced users struggle to differentiate between legitimate and malicious login windows.
Unlike traditional phishing pages, this technique exploits user trust in browser-based authentication workflows, making detection significantly more difficult.
Key Details
The campaign uses a technique known as Browser-in-the-Browser (BitB), where attackers embed a fake browser window directly within a malicious webpage.
Key characteristics of the attack include:
- A realistic Microsoft OAuth login popup
- A spoofed address bar showing a legitimate-looking URL with a padlock icon
- Full Microsoft branding and UI elements
- Interactive behavior, including draggable windows
The attack begins when a victim:
- Lands on a compromised or malicious website
- Clicks a “Sign in with Microsoft” button
- Is presented with a fake popup that appears fully legitimate
Because the login interface looks authentic, users unknowingly enter their credentials, which are immediately captured by the attacker.
Technical Analysis
How the Browser-in-the-Browser Attack Works
Unlike real authentication popups, which are separate OS-level windows, the fake popup in this attack is a DOM element rendered inside the browser tab.
Using HTML, CSS, and JavaScript, attackers replicate:
- Browser window frames
- Address bars
- Security indicators (padlock icons)
- Microsoft login UI
To enhance realism, the popup is:
- Draggable across the screen, mimicking a real window
- Styled based on OS and browser fingerprinting
- Dynamically adjusted to match the victim’s environment
This removes key visual indicators users rely on to detect phishing attempts.
Advanced Evasion Techniques
The campaign employs multiple evasion tactics to bypass security controls:
- Keyword fragmentation to evade content filtering
- Debugging detection to block analysis tools
- Bot filtering and redirection to hide malicious behavior from automated scanners
As a result, many traditional detection systems fail to identify the attack, allowing it to reach human targets undetected.
Credential and Token Theft
Once credentials are entered:
- They are sent to an attacker-controlled server
- The victim is often redirected to a real Microsoft login page
- The user assumes a login error and retries
However, the real objective goes beyond passwords.
Attackers capture the OAuth consent grant, which functions similarly to:
- Session cookies
- Single Sign-On (SSO) tokens
This enables persistent access without requiring re-authentication.
Impact and Risks
Why This Attack Is Dangerous
The real risk lies in token-based access persistence. Even if a user resets their password, attackers with valid tokens can:
- Maintain access to Microsoft 365 accounts
- Access emails, files, and cloud services
- Move laterally within organizational environments
Who Is Targeted
- Enterprise Microsoft 365 users
- Cloud-based organizations using SSO
- Employees accessing external SaaS platforms
Potential Consequences
- Account takeover and data exfiltration
- Compromise of sensitive business communications
- Unauthorized access to cloud infrastructure
- Long-term persistence in enterprise environments
This aligns with modern identity-based attacks (MITRE ATT&CK T1556, T1539), where credentials and tokens are primary targets.
Expert Recommendations
1. Use Phishing-Resistant Authentication
- Enable passkeys or FIDO2 hardware keys
- Avoid reliance on passwords alone
2. Monitor OAuth and Session Activity
- Track active sessions across devices
- Revoke suspicious tokens immediately
- Audit OAuth consent grants regularly
3. Leverage Password Managers
- Use password managers to detect fake domains
- They won’t autofill credentials on spoofed popups
4. Implement Conditional Access Policies
- Restrict access to trusted or managed devices
- Apply geolocation-based access controls
5. Train Users on Advanced Phishing
- Educate users about Browser-in-the-Browser attacks
- Encourage verification of login flows
6. Enhance Detection Capabilities
- Deploy advanced phishing detection tools
- Monitor unusual browser behavior and login patterns
Industry Context
The rise of Browser-in-the-Browser attacks reflects a broader trend: phishing attacks are becoming more immersive and UI-driven.
Traditional phishing detection focuses on:
- Malicious URLs
- Suspicious domains
However, this campaign demonstrates a shift toward:
- UI spoofing inside legitimate contexts
- Identity-focused attacks targeting authentication flows
- Exploiting trust in OAuth and SSO mechanisms
As cloud adoption increases, attackers are focusing on tokens instead of passwords, making these attacks more persistent and harder to detect.
Conclusion
The Browser-in-the-Browser phishing campaign targeting Microsoft 365 users highlights the evolving sophistication of identity-based attacks. By replicating trusted login experiences with near-perfect accuracy, attackers are bypassing traditional defenses and exploiting human trust.
Organizations must adopt phishing-resistant authentication, session monitoring, and user awareness strategies to defend against these advanced threats.
FAQ SECTION
What is a Browser-in-the-Browser phishing attack?
It is a phishing technique that creates a fake browser window inside a webpage to mimic legitimate login popups.
How does this attack steal credentials?
Users enter credentials into a fake popup, which sends the data directly to attackers.
Why is OAuth token theft dangerous?
OAuth tokens allow persistent access to accounts even after passwords are changed.
Who is most at risk?
Microsoft 365 users and organizations relying on cloud authentication and SSO systems.
How can users protect themselves?
Use passkeys, enable MFA, verify login pages, and rely on password managers to detect fake sites.
