Sneaky 2FA Toolkit Upgraded: Uses ‘Browser-in-the-Browser’ to Steal Credentials
Experts in cybersecurity report the emergence of a new automated credential-theft toolkit whose sophistication continues to evolve. In mass-scale schemes, threat actors are increasingly adopting inventive techniques, and one such toolkit — Sneaky 2FA — has received an upgrade enabling it to tamper with browser elements and disguise malicious pages as genuine authentication windows. This refinement makes fraudulent prompts significantly harder to detect and allows attackers to harvest credentials with virtually no technical expertise.
According to Push Security, Sneaky 2FA now employs the Browser-in-the-Browser technique. This method fabricates a pop-up login window that visually mirrors a browser’s native authentication prompt. The illusion is constructed using HTML and CSS components that create a counterfeit window, inside which an iframe loads attacker-controlled content. A convincing fake address bar is rendered at the top, leading victims to believe they are entering their credentials on an authentic Microsoft page.
Push Security notes that one observed attack flow begins with a redirection to a suspicious domain, previewdoc.us, where the user is shown a Cloudflare Turnstile check. After passing the check, the victim encounters a page inviting them to open a PDF via their Microsoft account. Clicking the button triggers a pop-up styled as Microsoft’s sign-in form — but the interface is entirely fraudulent, and every keystroke is delivered directly to the attacker, who subsequently gains access to the victim’s account.
To hinder analysis, the operators use defensive techniques that actively block inspection attempts. Sneaky 2FA obfuscates its scripts, disables browser developer tools, and rapidly rotates domains, reducing the chance of detection. It also applies conditional-loading restrictions: malicious pages are displayed only to specific targets, while all other visitors are redirected to harmless sites. These measures help conceal the infrastructure and prevent security systems from capturing the true malicious content.
Researchers at Sekoia previously observed that the authors of Sneaky 2FA are aggressively expanding and adapting the service to changing conditions. This aligns with a broader trend: phishing kits are evolving into fully fledged professional platforms, and data-theft schemes increasingly rely on content substitution and visual mimicry. Push Security stresses that identity-focused attacks remain the most prevalent vector of compromise — and the growing sophistication of these tools only heightens the risks faced by users of corporate systems.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
