Sophisticated 'Browser-in-the-Browser' Attack Steals Microsoft 365 Logins
A new phishing technique uses a convincing fake login popup embedded within a malicious webpage to steal Microsoft 365 credentials and OAuth tokens.
A novel and highly deceptive phishing campaign is targeting Microsoft 365 users by employing a sophisticated 'Browser-in-the-Browser' (BitB) technique. This attack crafts a fake login popup that is nearly indistinguishable from legitimate Microsoft OAuth login screens, making it a significant threat even to security-aware individuals.
The core of the attack involves embedding a malicious, interactive popup window directly within a compromised webpage. This popup meticulously mimics the appearance of the official Microsoft OAuth login interface, complete with a spoofed address bar displaying a seemingly valid URL and a familiar padlock icon. When users are prompted to 'Sign in with Microsoft' on a malicious site, they are presented with this fake window, leading them to believe they are interacting with a trusted authentication process.
Researchers from Unit 42 have detailed this campaign, highlighting its advanced evasion tactics. The attackers have implemented measures to block debugging attempts, fragment keywords to bypass content filters, and redirect automated bots away from the malicious pages. This multi-pronged approach ensures that standard security tools often fail to detect the fraudulent activity, allowing the phishing pages to reach their intended human targets unimpeded.
Further enhancing its deceptive capabilities, the fake popup is designed to be draggable, mimicking the behavior of a genuine operating system window. Additionally, the attackers employ OS and browser fingerprinting techniques to tailor the popup's appearance to the victim's specific device. This customization ensures that the fonts, styling, and overall user experience align perfectly with what the user expects from a legitimate Microsoft login, significantly increasing the likelihood of success.
Once a victim enters their credentials into the fake popup, the information is silently transmitted to an attacker-controlled server. In a particularly insidious move, the user is often redirected to the actual Microsoft login page afterward. This redirection can lead victims to believe they simply mistyped their password and encourage them to try again, unaware that their credentials have already been compromised.
The primary objective of this campaign is not just to steal passwords but to capture the OAuth consent grant. This captured token is highly valuable, as it functions similarly to a session cookie or an SSO refresh token. It grants attackers persistent access to Microsoft 365 environments, including email accounts and other connected services, even after the victim has reset their password.
This persistent access poses a severe risk to organizations, as compromised tokens can remain valid for extended periods, allowing attackers to conduct reconnaissance, exfiltrate data, or deploy further malicious payloads. The ability to bypass password resets by leveraging existing session tokens underscores the critical need for robust monitoring of active sessions and prompt revocation of suspicious tokens.
To mitigate such threats, users are advised to enable phishing-resistant authentication methods like passkeys or FIDO2 hardware keys. Password managers can also serve as a crucial defense by refusing to autofill credentials into fake popups that do not match the legitimate site origin. Furthermore, implementing conditional access policies that restrict sign-ins to managed devices adds another significant layer of security against these sophisticated attacks.