Phishing-as-a-Service 'Sneaky 2FA' Kit Enables Browser-in-the-Browser Credential Theft
Threat actors are leveraging a Phishing-as-a-Service (PhaaS) kit called Sneaky 2FA to deploy advanced Browser-in-the-Browser (BitB) phishing attacks. This kit allows attackers to create highly convincing fake browser pop-up windows that closely mimic legitimate sign-in prompts, including a forged address bar displaying authentic-looking URLs. The technique is designed to deceive users into entering their credentials, which are then exfiltrated to the attacker. Security researchers have observed these attacks targeting Microsoft account credentials, with the kit's obfuscated code and anti-analysis features making detection and mitigation more challenging.
The Sneaky 2FA kit is available on criminal marketplaces, enabling even less-skilled threat actors to launch sophisticated phishing campaigns at scale. Attackers often use additional evasion tactics, such as bot protection checks (e.g., Cloudflare Turnstile) and CAPTCHAs, to filter out automated security tools before presenting the fake login window to real users. Experts recommend using password managers, which can help detect these fake forms by refusing to autofill credentials on non-legitimate login pages, as a key defense against such deceptive phishing techniques.
Timeline
Nov 18, 2025
Multiple outlets publicize Sneaky 2FA's new BiTB capability
News outlets including The Hacker News, Malwarebytes, SC Media, BleepingComputer, and CSO Online published reports highlighting the updated Sneaky 2FA kit's use of Browser-in-the-Browser phishing to create convincing fake sign-in windows. The coverage emphasized the growing sophistication and accessibility of phishing-as-a-service tooling.
Nov 18, 2025
Push Security details Sneaky 2FA's delivery and evasion tactics
Researchers reported that the attack chain could be triggered from the 'previewdoc[.]us' website, which redirected victims to a subdomain hosting a fake Microsoft login page. They also noted conditional loading, anti-analysis measures, obfuscation, and 'burn-and-replace' URLs designed to improve targeting and evade detection.
Nov 18, 2025
Researchers observe updated Sneaky 2FA kit using Browser-in-the-Browser
Security researchers identified a new version of the Sneaky 2FA phishing-as-a-service kit that added Browser-in-the-Browser functionality to mimic legitimate browser login pop-ups and conceal the real phishing URL. The updated kit was observed targeting Microsoft account credentials and MFA codes with fake sign-in windows.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Sources
Related Stories
Sophisticated Phishing Campaigns Leveraging Advanced Kits and Evasion Techniques
Cybercriminals are increasingly utilizing advanced Phishing-as-a-Service (PhaaS) kits to conduct large-scale, targeted phishing campaigns that impersonate trusted brands and institutions. These kits, which have doubled in number over the past year, enable even less-skilled attackers to deploy sophisticated attacks at scale by incorporating features such as URL obfuscation, MFA bypass, CAPTCHA abuse, and the use of malicious QR codes and attachments. Threat analysts have observed a surge in new PhaaS entrants, including Cephas, Whisper 2FA, and GhostFrame, alongside established kits like Tycoon 2FA and Mamba 2FA. Attackers are also leveraging AI, social engineering, and polymorphic techniques to evade detection, making it increasingly difficult for organizations to defend against these threats with static security controls alone. Technical analysis reveals that phishing infrastructure is evolving to include fake verification pages, such as counterfeit Cloudflare Turnstile challenges, which act as intelligent traffic filtering gates. These pages use browser fingerprinting, geolocation, and proxy detection to selectively deliver malicious payloads to high-confidence victims while evading security researchers and automated defenses. The fake verification pages closely mimic legitimate branding and user experience, including fabricated Ray IDs and links to real policy documents, to build trust and bypass scrutiny. Security experts recommend adopting layered defenses, including phishing-resistant MFA, continuous monitoring, and integrated email security, to counter these increasingly sophisticated phishing operations.
1 months ago
Multi-Stage Phishing Campaigns Bypassing MFA to Steal Microsoft 365 Credentials
A wave of sophisticated phishing campaigns is targeting organizations globally to steal Microsoft 365 credentials by bypassing traditional email security gateways and multi-factor authentication (MFA) protections. Attackers are employing advanced techniques such as multi-stage payload delivery using nested PDF attachments, legitimate content delivery networks, and mouse tracking to evade detection. Once victims interact with these emails and enter their credentials on a credential harvesting site, attackers leverage legitimate Microsoft infrastructure to bypass MFA and gain immediate access to the victim’s Microsoft 365 environment. These campaigns are engineered to filter out security analysts and block standard security tools, making detection and response more challenging. In parallel, threat actors are increasingly using attacker-in-the-middle toolkits like Evilginx and hybrid phishing-as-a-service kits such as Salty2FA and Tycoon2FA to capture both user credentials and session cookies. By stealing session cookies, attackers can impersonate users and maintain access without triggering additional MFA prompts, even after successful authentication. The blending of different phishing kits into hybrid strains is making detection harder, as traditional security rules tuned to individual kits are now being evaded. Security researchers warn that static indicators are no longer sufficient, and behavioral analysis is required to spot these evolving threats.
1 months ago
Browser-in-the-Browser Phishing Campaigns Targeting Facebook Credentials
Threat actors have increasingly used the **browser-in-the-browser (BitB)** technique to steal **Facebook** credentials, leveraging fake in-browser pop-up login windows that closely mimic legitimate authentication flows. Trellix reported that recent campaigns commonly start with phishing emails impersonating law firms issuing copyright infringement warnings, threats of imminent account suspension, or *Meta* security alerts about suspicious logins; these lures often include shortened links and fake Meta CAPTCHA pages to add legitimacy before presenting the counterfeit login prompt.
1 months ago