The Sneaky2FA phishing service has recently added a dangerous new capability to its toolkit that makes stealing Microsoft account credentials even easier for attackers.
Push Security analysts and researchers have identified this threat operating in the wild, using a sophisticated technique called Browser-in-the-Browser (BITB) to trick users into handing over their login information.
This development represents a troubling evolution in phishing attacks that continues to threaten organizations worldwide.
Phishing-as-a-Service kits like Sneaky2FA have become increasingly popular in criminal circles because they lower the barrier to entry for anyone wanting to launch advanced attacks.
These platforms operate on Telegram with fully licensed, obfuscated versions of source code that attackers can deploy independently.
The competitive environment within the cybercriminal marketplace has driven innovation at an alarming pace, creating an arms race where attackers constantly develop new ways to bypass security controls and steal credentials.
Push Security analysts and researchers identified the latest Sneaky2FA variant after detecting unusual activity, suggesting the tool had gained new technical capabilities.
BITB functionality
The addition of BITB functionality represents a significant tactical shift for the platform, combining multiple layers of deception to maximize the chances of successful credential theft.
When users encounter this phishing attack, they first see what appears to be a legitimate Adobe Acrobat Reader document requiring them to sign in with their Microsoft account.
After clicking the sign-in button, an embedded browser window appears, displaying what looks like an authentic Microsoft login page.
.webp "New Sneaky 2FA Phishing Kit with BitB Technique Attacking Users to Steal Microsoft Account Credentials 3")
However, this pop-up window is actually a fake contained within the attacker’s page. The browser window automatically adapts its appearance to match the visitor’s operating system and browser type, making the deception even more convincing to unsuspecting users.
The technical sophistication behind this attack involves multiple evasion mechanisms designed to prevent security tools from detecting it. Before users even see the phishing page, they must pass a Cloudflare Turnstile bot protection check.
The HTML and JavaScript code is heavily obfuscated to avoid pattern-matching detection. Additionally, the phishing domains use random 150-character URL paths and operate on compromised or old-looking websites.
Attackers frequently rotate these domains, using them briefly before abandoning them and deploying new ones, creating a constantly moving target for traditional defenses.
This innovation in phishing techniques demonstrates how attackers continue adapting their methods to bypass modern security controls.
Users should remain vigilant when encountering unexpected requests to verify their identity online, particularly when pop-up windows appear requesting sensitive credentials.
Organizations must implement detection systems capable of analyzing live pages in real time rather than relying solely on traditional defenses that examine domain reputation or static signatures.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
