Sneaky2FA Kit Adds Browser-in-the-Browser Credential Attack
Category:Threat Alerts
The Sneaky2FA phishing-as-a-service (PhaaS) kit has adopted a Browser-in-the-Browser (BitB) technique to steal Microsoft 365 credentials and active session tokens. The campaign uses realistic pop-ups that mimic legitimate OAuth windows, creating a high-fidelity phishing surface mapped to MITRE ATT&CK techniques T1566 (Phishing), T1556 (Modify Authentication), and T1110 (Credential Access). Attackers leverage deceptive Microsoft login overlays combined with AitM (Attacker-in-the-Middle) reverse-proxy flows to intercept MFA-protected sessions. This aligns well with SEO search patterns such as "microsoft 365 phishing attack", "browser-in-the-browser exploit", and "2FA bypass phishing". As described in the research :contentReference[oaicite:2]{index=2}, Sneaky2FA dynamically adjusts the spoofed login window to match the victim’s OS and browser environment. The kit routes targets through Cloudflare Turnstile checks before rendering the fake authentication window, making automated detection and scanning difficult. Obfuscated JavaScript, conditional loading, invisible UI tags, and encoded images complicate static analysis and fingerprinting. The BitB overlay wraps Sneaky2FA’s existing reverse-proxy Microsoft phishing infrastructure, enabling real-time capture of credentials and session cookies for immediate account takeover. The business risk from these attacks is severe, particularly for enterprises relying on Microsoft 365 for identity, email, and document workflows. Stolen session tokens bypass MFA, conditional access policies, and device trust restrictions, enabling lateral movement, data theft, and potential ransomware staging. Organizations subject to GDPR, SOX, and PCI-DSS face compliance violations if account compromise results in unauthorized data exposure. Mitigation requires tightening identity access policies, enforcing phishing-resistant MFA (FIDO2/WebAuthn), monitoring for unusual OAuth application consent events, and implementing browser isolation for high-risk users. Security teams should enhance detection for reverse-proxy phishing infrastructures and educate users on BitB recognition techniques such as drag-testing pop-ups and verifying taskbar entries.
CORTEX Protocol Intelligence Assessment
Business Impact: Microsoft 365 account compromises resulting from Sneaky2FA’s AitM and BitB hybrid approach can lead to mass credential theft, internal email compromise, and unauthorized data access. Organizations risk operational disruption, fraud, and regulatory action. Technical Context: Sneaky2FA combines BitB HTML templates with reverse-proxy authentication interception. This method bypasses MFA and leverages evasion techniques such as obfuscation, conditional loading, and deceptive window UI spoofing. TTPs map to MITRE T1566, T1556, T1110, and T1059.
Strategic Intelligence Guidance
- Deploy phishing-resistant MFA such as FIDO2 keys for high-value accounts.
- Monitor OAuth consent logs and detect anomalous session token replays.
- Implement browser isolation or enterprise hardened browser configurations.
- Enhance email and web filtering to block reverse-proxy phishing infrastructures.
Vendors
Threats
Targets
Intelligence Source: Sneaky2FA Kit Adds Browser-in-the-Browser Credential Attack | Nov 20, 2025