Unit 42 Uncovers Browser-in-the-Browser Phishing Targeting Microsoft 365 Credentials
Updated
Updated · Help Net Security · Jun 10
Unit 42 Uncovers Browser-in-the-Browser Phishing Targeting Microsoft 365 Credentials
2 articles · Updated · Help Net Security · Jun 10
Summary
Palo Alto Networks Unit 42 identified a new Browser-in-the-Browser phishing campaign that tricks Microsoft 365 users with fake sign-in popups embedded inside webpages.
Fake Microsoft login windows mimic real OAuth prompts, including a spoofed address bar, draggable browser frame, and controls such as back, refresh, minimize, and close.
The campaign also tailors the popup to the victim’s OS and browser—Windows, macOS or Linux, and Chrome, Firefox, Edge or Safari—to make the prompt look native.
Unit 42 said the attackers further hinder detection by overriding browser console functions, splitting visible text to evade simple checks, redirecting bots to a real Microsoft Office help page, and loading credential theft through a sandboxed iframe.
Microsoft 365 remains a prime phishing target; last month the FBI warned that the Kali365 phishing-as-a-service platform was stealing Microsoft 365 access tokens and bypassing MFA through device code phishing.
How are AI-powered phishing kits making sophisticated cyberattacks accessible to almost anyone?
With phishing pop-ups perfectly mimicking real ones, is user awareness training now obsolete?
When attacks can bypass MFA by stealing tokens, what is the true future of secure digital identity?
2026 BitB Phishing Attacks: How Sophisticated OAuth Token Theft Threatens Microsoft 365 Security
Overview
In June 2026, Palo Alto Networks' Unit 42 uncovered a highly sophisticated Browser-in-the-Browser (BitB) phishing campaign targeting Microsoft 365 users. This attack uses meticulously crafted fake login popups that closely mimic real Microsoft 365 authentication windows, including a spoofed OAuth authorization bar, a familiar sign-in panel, and a convincing fake browser frame with a padlock icon. These elements are designed to make the fraudulent prompt nearly impossible for users to detect, highlighting a major evolution in phishing tactics and posing significant risks to organizations relying on Microsoft 365.