A new Browser-in-the-Browser (BitB) phishing campaign is abusing fake OAuth login windows to steal Microsoft 365 credentials, and its design is polished enough to bypass casual visual checks.
The attack uses a draggable popup that mimics a real browser dialog. However, it is embedded in the page itself and paired with a spoofed Microsoft OAuth URL to make the login flow look legitimate.
Researchers describe BitB as a phishing method that renders a fake sign-in window inside a webpage using common web technologies, rather than opening a genuine browser window.
In this campaign, the popup is not just cosmetic; it is tuned to match the victim’s operating system and browser fingerprint so the deception feels native to the device. That makes the window appear as if it belongs to the browser, when in reality it is part of the attacker’s page.
The campaign also includes anti-analysis controls, which are a sign of a more mature phishing operation.
It blocks debugging attempts, fragments keywords in code to reduce detection, and can redirect automated bots away from the malicious content. Those defensive tricks help the operation stay hidden from scanners, sandbox systems, and researchers.
This style of phishing is effective because it exploits user trust in familiar OAuth flows and Microsoft branding.
According to Unit42, many users now expect to see pop-up-based sign-ins for Microsoft 365, Google, and other identity providers so that a realistic-looking window can slip past instinctive scrutiny.
Once the victim enters a password, the attacker can capture the credentials immediately.
New BitB Phishing Attack
The bigger risk is that the fake window can also harvest session data and bypass weak assumptions about MFA safety in real time.
Microsoft’s own guidance still emphasizes reporting suspicious messages and using built-in phishing protections, but BitB shows that visual trust alone is not enough. The result is a campaign that targets both human judgment and security tooling.
This attack sits within a broader wave of browser-based identity phishing that targets Microsoft, Facebook, and other major services. Recent reporting also shows attackers abusing legitimate Microsoft-related sign-in flows and federation components to redirect victims into credential theft chains.
The pattern is consistent: attackers are moving away from crude fake pages and toward high-fidelity login experiences that resemble the real thing.
The most important defensive shift is toward phishing-resistant authentication, especially passkeys and WebAuthn-based sign-in methods.
Traditional MFA still helps, but it does not fully solve attacks that proxy or simulate the login experience in real time.
Organizations using Microsoft 365 should pair user training with conditional access, domain verification checks, and aggressive reporting workflows.
A practical test is whether a login popup can be dragged outside the browser window or behaves like a real system dialog.
If it gets stuck inside the page, fails to trigger the password manager, or appears under a suspicious URL, treat it as malicious.
Users should also open Microsoft 365 sign-ins by typing the address directly rather than following embedded login links.
The attached image shows the core deception clearly: a spoofed OAuth authorization bar, a Microsoft sign-in panel, and a fake browser frame designed to sell legitimacy.
In short, this is not a simple phishing page; it is a precision-built credential theft campaign that weaponizes browser familiarity and user habit.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
