New Browser-in-the-Browser phishing uses fake login popups to steal Microsoft 365 credentials
A new Browser-in-the-Browser (BitB) phishing campaign is targeting Microsoft 365 users with fake login popups designed to closely mimic legitimate browser authentication windows, according to Palo Alto Networks Unit 42.
The attack relies on a fake browser window embedded within a webpage. Victims who click a Microsoft sign-in button are presented with what appears to be a standard authentication prompt, complete with a spoofed Microsoft OAuth URL and a login form.
Phishing page displaying a fake Microsoft sign-in prompt (Source: Palo Alto Networks Unit 42)
“The spoofed URL in the address bar is carefully constructed to look like a real OAuth flow,” Unit 42 noted.
What makes the popup particularly convincing is that it behaves like a legitimate browser window. It can be dragged around the screen and includes controls such as back, refresh, minimize, and close buttons, removing some of the visual cues users might normally rely on to spot a fake login page.
The phishing page also adapts to the victim’s environment. According to researchers, it identifies the operating system and browser in use and adjusts the appearance of the popup to match Windows, macOS, or Linux, as well as Chrome, Firefox, Edge, or Safari.
Making the fake login page look legitimate is only part of the attack. Unit 42 found that the campaign uses additional techniques intended to make detection and investigation more difficult.
These include overriding browser console functions, breaking up visible text strings to bypass simple keyword-based checks, and redirecting suspected bots and automated scanners to a legitimate Microsoft Office help page instead of the phishing content.
The credential-harvesting functionality is loaded through a sandboxed iframe, keeping it separate from the visible BitB interface and making the operation more difficult to analyze.
Unit 42 also published a list of domains associated with the campaign.
Microsoft 365 users remain a frequent target of phishing campaigns. Last month, the FBI warned about Kali365, a phishing-as-a-service platform that enables attackers to steal Microsoft 365 access tokens and bypass MFA through device code phishing.