Browser-in-the-Browser (BitB): Fake Login Popups Stealing Real Credentials

In Browser-in-the-Browser (BitB) phishing, threat actors create a fake browser pop-up window inside a real webpage to trick users into entering credentials into what appears to be a legitimate Microsoft 365, Google, or enterprise SSO login prompt. These fake windows are built using HTML, CSS, and JavaScript and can closely mimic real browser popups, complete with address bars, padlock icons, and trusted branding.

This technique is dangerous because users are trained to trust familiar login prompts and visible URLs. Instead of redirecting victims to a suspicious phishing site, attackers keep the user on the malicious page while presenting a highly convincing fake sign-in window.

How it works

The attacker lures the victim to a phishing page through email, ads, shared links, or compromised websites. When the user clicks “Sign in with Microsoft” or a similar button, a fake browser-style pop-up appears that looks like a real login window.

The victim enters their username, password, and possibly MFA code into the fake prompt. The attacker captures the information and may use it immediately to access email, cloud storage, or other business services.

How to Protect Your Organisation

1. Use Phishing-Resistant MFA: Deploy Passkeys or FIDO2 security keys. These are tied to legitimate domains and will not authenticate on fake phishing pages.

2. Harden Conditional Access: Require compliant devices, trusted locations, and risk-based sign-in controls to prevent token replay from attacker systems.

3. Employee Awareness: Users should verify login pop-ups carefully. If the pop-up cannot move outside the browser window or appears without opening a real browser window, treat it as suspicious.

4. Use Password Managers: Encourage the use of reputable, secure password managers, which help detect fake login pages by only autofilling credentials on legitimate domains.

5. Monitor for Suspicious Sign-ins: Alert on impossible travel, new devices, concurrent sessions, or unusual post-login activity shortly after authentication.