New Browser-in-the-Browser Phishing Attack to Steal Microsoft 365

A new and sophisticated Browser-in-the-Browser (BitB) phishing campaign has emerged, specifically targeting Microsoft 365 users. This <a href="https://ppl-ai

The attack is so convincing that even tech-savvy users can fall for it without realizing their credentials have been stolen.

The campaign works by embedding a fake browser popup window directly inside a malicious webpage. The popup mimics the standard Microsoft OAuth login screen, complete with a fake address bar showing a legitimate-looking URL, a padlock icon, and familiar branding.

Users who click “Sign in with Microsoft” on a compromised site are shown this fake window and, believing it to be real, willingly type in their login details.

Researchers at Unit 42, the threat intelligence and incident response team, identified the campaign and shared details in a report with Cyber Security News (CSN).

They noted that this phishing popup is not just a simple overlay. It is draggable across the screen and uses OS and browser fingerprinting to tailor its appearance to each victim’s device, making it look even more convincing and harder to flag as suspicious.

What makes this campaign particularly dangerous is how it evades security tools. The attackers block debugging attempts, fragment keywords to bypass content filters, and redirect automated bots away from the malicious page.

This means standard detection tools often see nothing unusual, giving the attack a clear path to reach real human targets.

The goal is straightforward but damaging. Once the victim enters their credentials, the attacker captures the OAuth consent grant, which can then be used to access Microsoft 365 environments long after the initial login.

This stolen token acts much like a session cookie, granting persistent access without requiring the victim’s password again.

New Browser-in-the-Browser Phishing Attack

The attack begins when a victim lands on a page that looks like a legitimate service requiring a Microsoft login.

When they click the sign-in button, a fake popup window is rendered entirely within the browser tab using HTML, CSS, and JavaScript. The window includes a spoofed URL bar showing a realistic Microsoft OAuth address, creating a false sense of security.

Unlike a real browser popup, which is an independent operating system window, this fake one is a DOM element trapped inside the parent tab.

However, the attackers have gone a step further by making it draggable, which mimics the feel of a real window and removes one of the most reliable visual cues users might rely on to spot a fake.

The OS and browser fingerprinting ensures the popup matches the victim’s actual system, so the font, styling, and behavior all look exactly right. Once credentials are entered, they are silently sent to an attacker-controlled server.

The victim is often redirected to the real Microsoft login page afterward, so they simply think they mistyped their password and try again, never suspecting they have been compromised.

The Danger of Captured OAuth Tokens

The reason this attack is especially alarming is what happens after the credentials are stolen. As security researcher DLTA noted in response to the Unit 42 finding, capturing the OAuth consent grant itself is the real prize.

This artifact can keep working like a session cookie or an SSO refresh token, giving the attacker ongoing access to cloud environments, email accounts, and connected services.

This means even resetting a password may not immediately revoke an attacker’s access if they already hold a valid session token. Organizations need to monitor for active sessions from unfamiliar locations or devices and revoke suspicious tokens immediately.

To stay protected, users should enable phishing-resistant authentication like passkeys or FIDO2 hardware keys wherever possible.

Password managers also serve as an early warning signal since they will not autofill credentials into a fake popup that does not match the real site origin. Conditional access policies that restrict sign-ins to managed devices add another strong layer of defense.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.