Sneaky 2FA Kit Evolves Again
Sneaky 2FA continues to grow more advanced, according to a recent report. The Phishing-as-a-Service kit now includes Browser-in-the-Browser (BitB) features. Therefore, attackers with limited skills can launch convincing phishing attacks at scale. Researchers say this trend shows how quickly phishing tools are evolving.
How BitB Tricks Victims with Fake Pop-ups
BitB first appeared in 2022. It used simple HTML and CSS to build fake browser windows. However, the technique has now become more widespread. Attackers use BitB to create login pop-ups that look legitimate, even though they point to malicious servers.
The new phishing pages mimic Microsoft login forms. They show trusted URLs inside fake pop-ups. Therefore, victims think they are entering their credentials on a real site. In reality, the kit quietly steals login information and session data.
Attack Flow Using Bot Checks and Conditional Loading
Researchers observed an attack that begins with a suspicious website. It requires the victim to pass a bot-protection test. Only then does it show a “Sign in with Microsoft” button to view a supposed document. However, once users click, the BitB window appears and captures their login.
Attackers also use conditional loading to avoid detection. For example, they block security tools and redirect unwanted visitors to safe pages. This method ensures that only selected targets see the phishing content.
Evasion Tactics That Hide Phishing Activity
A separate report noted that Sneaky 2FA uses obfuscation to hide its pages. It also disables browser inspection tools to prevent analysis. Furthermore, attackers rotate their phishing domains frequently. This rotation reduces the chances of early detection.
Experts warn that professionalized PhaaS services keep improving. Therefore, identity-based attacks will likely continue rising. Attackers remain motivated to upgrade their kits and exploit weaknesses in login systems.
Passkey Manipulation Through Malicious Extensions
Researchers also revealed a new attack on passkey authentication. A rogue browser extension can intercept WebAuthn processes. It can then create an attacker-controlled key pair during registration. Consequently, the attacker can later sign login challenges without the victim’s device.
The malicious extension stores one private key locally and sends another to the attacker. Therefore, attackers can access enterprise accounts from any device. They also intercept login requests and sign them with the stolen key.
Downgrade Attacks Against Strong Authentication
Attackers can also trick users into choosing weaker login options. For example, an adversary-in-the-middle phishing kit may show a fallback method instead of a passkey. This downgrade attack reduces security. Therefore, even strong authentication systems remain vulnerable.
How to Prevent These Attacks
Users should stay alert when opening links, pop-ups, or installing browser extensions. Organizations should also apply conditional access rules to block risky login attempts. Additionally, security monitoring services can filter phishing pages, detect suspicious scripts, and stop malicious browser extensions before they spread.
Sleep well, we got you covered.
