Redteamers’ Browser-in-the-Browser Attack Enhances Sneaky2FA PhaaS Kit

Sneaky2FA PhaaS Kit Enhances Browser-in-the-Browser Attack

The Sneaky2FA phishing-as-a-service (PhaaS) kit has recently integrated browser-in-the-browser (BitB) capabilities, enabling attacks aimed at stealing Microsoft credentials and active sessions.

Sneaky2FA is currently a popular PhaaS platform, standing alongside Tycoon2FA and Mamba2FA, primarily targeting Microsoft 365 accounts.

Previously recognized for its SVG-based attacks and attacker-in-the-middle (AitM) tactics, where the authentication process is redirected through a phishing page to relay valid session tokens to attackers, Sneaky2FA has now introduced BitB functionalities.

According to a report by Push Security, Sneaky2FA’s BitB feature includes a pop-up that replicates a genuine Microsoft login window, dynamically adapting to the victim’s operating system and browser for enhanced deception.

Incorporating BitB, threat actors can gain unauthorized access to victims’ accounts, bypassing two-factor authentication (2FA) protection measures.

BitB, originally conceptualized by researcher mr.d0x in 2022, has been adopted by malicious actors for real-world attacks targeting various services, including Facebook and Steam accounts.

During a BitB attack, users visiting an attacker-controlled webpage encounter a fabricated browser pop-up window displaying a login form.

The pop-up template functions as an iframe mimicking legitimate authentication forms, adaptable with a specific URL and window title to enhance authenticity.

The presence of a URL bar showcasing the targeted service’s official domain address on the fake window creates the illusion of a trustworthy OAuth pop-up.

In the case of Sneaky2FA, victims are directed to a phishing link on ‘previewdoc[.]com’ and subjected to a Cloudflare Turnstile bot check before being prompted to sign in with Microsoft to access a document.

If the “Sign in with Microsoft” option is selected, the fake BitB window is generated, resembling a fake Microsoft URL bar tailored for Edge on Windows or Safari on macOS.

Within the fake pop-up, Sneaky2FA deploys its reverse-proxy Microsoft phishing page, leveraging the genuine login flow to pilfer both account credentials and session tokens through its AitM system.

BitB acts as a visual deception layer atop Sneaky2FA’s existing AitM capabilities, enhancing the realism of the attack sequence.

The phishing kit utilizes conditional loading to redirect bots and researchers to benign pages, evading detection.

Push Security highlights the sophisticated evasion tactics employed by these phishing sites, designed to evade detection mechanisms and avoid triggering alerts.

One method to authenticate a pop-up login form’s legitimacy is attempting to drag it outside the original browser window, which is impossible with an iframe linked to its parent window.

Additionally, a genuine pop-up appears as a separate browser instance in the taskbar.

Similar BitB support has been observed in another PhaaS service, Raccoon0365/Storm-2246, recently disrupted by Microsoft and Cloudflare following the theft of numerous Microsoft 365 credentials.

Empower your team with secure practices, from managing old keys to setting AI-generated code guardrails. Download our cheat sheet for foolproof secrets management.

Download Now