Published on June 9, 2026
New Browser-in-the-Browser Phishing Attack Targets Microsoft 365 Login Credentials
Severity
High
Detail
Security researchers have identified a sophisticated phishing campaign targeting Microsoft 365 users through a Browser-in-the-Browser (BitB) attack technique. The campaign leverages highly realistic fake browser overlays to impersonate legitimate Microsoft Single Sign-On (SSO) authentication prompts and steal user credentials.
Browser-in-the-Browser attacks create deceptive browser windows within a webpage, enabling attackers to replicate trusted login interfaces while concealing the actual destination of submitted credentials. By spoofing browser address bars, lock icons, and authentication dialogs, the technique can bypass traditional user verification methods that rely on checking URLs and visual security indicators.
The campaign specifically targets Microsoft 365 accounts, which are widely used for enterprise email, cloud storage, document collaboration, and other business-critical services. Successful credential theft may allow attackers to gain unauthorized access to corporate cloud environments and sensitive organizational data.
How?
A compromised or malicious website triggers the attack when a user visits the page. The webpage executes malicious code that generates a fake browser window displayed as an overlay within the active browser session. The window is designed to closely resemble a legitimate Microsoft Single Sign-On (SSO) authentication prompt, including a spoofed address bar, fake lock icons, and realistic browser interface elements.
Operating system and browser fingerprinting are used to identify the victim’s environment and tailor the appearance of the phishing interface. The fake login window dynamically adapts to match the user’s system, such as Google Chrome on Windows or Safari on macOS. The fraudulent window can also be moved around the screen, increasing its resemblance to a genuine browser authentication dialog.
A spoofed Microsoft OAuth login page is displayed inside the fake window along with a legitimate-looking Microsoft URL. However, this URL is part of the crafted webpage and not the actual browser address bar. Any credentials entered into the fake login form are transmitted directly to attacker-controlled infrastructure. Researchers also observed that the malicious content is selectively delivered to real users, helping the campaign evade automated detection systems and delaying security vendor analysis.
Recommendation
Organizations should implement the following security measures to reduce the risk of credential theft from Browser-in-the-Browser phishing attacks:
- Enforce phishing-resistant Multi-Factor Authentication (MFA), such as hardware security keys, for all Microsoft 365 accounts.
- Deploy and encourage the use of password managers, which can help identify fraudulent login pages by refusing to autofill credentials on non-legitimate domains.
- Conduct regular security awareness training focused on modern phishing techniques, including Browser-in-the-Browser attacks.
- Monitor authentication logs for suspicious login activity, unusual geographic access patterns, and unauthorized account usage.
- Implement conditional access policies and risk-based authentication controls where available.
- Encourage users to access Microsoft 365 services through trusted bookmarks or official portals rather than links received through emails or websites.
Source