Browser-in-the-Browser: The Phishing Attack That Fakes the Browser Itself

You click “Sign in with Google” on a website. A popup window appears — it has an address bar showing accounts.google.com, a padlock icon, the Google logo, and a familiar login form. You type your credentials and hit Enter.

You just gave your password to an attacker. That window was never real.

This is Browser-in-the-Browser (BitB) — a phishing technique that doesn’t fake a website. It fakes the browser itself.

TL;DR

BitB attacks render fake browser popup windows using HTML and CSS — indistinguishable from real ones by eye

They target SSO flows (“Sign in with Google/Microsoft”) where users expect a popup

Real-world use confirmed: Steam accounts, Facebook logins, Microsoft 365 credentials (2025–2026)

PhaaS kits like Sneaky2FA now include BitB as a built-in feature

Defense: password managers, hardware security keys, browser-level controls

Why This Matters

Phishing has always relied on one thing: making something fake look real. For years, attackers faked websites — copy-paste the login page, change the domain, hope the victim doesn’t check the URL.

Browsers fought back. Password managers refuse to autofill on wrong domains. Users got taught to check the address bar. Certificate warnings became harder to dismiss.

BitB sidesteps all of that. Instead of faking a website, it fakes the popup window that appears when you click “Sign in with Google” or “Sign in with Microsoft.” The address bar in the fake window can show anything — accounts.google.com, login.microsoftonline.com, whatever the attacker wants. It looks pixel-perfect because it’s drawn with the same CSS your browser uses every day.

Anyone with a Microsoft, Google, or Steam account is a potential target.

How Browser-in-the-Browser Works

The Legitimate SSO Flow

When a website offers “Sign in with Google,” here’s what normally happens:

You click the button
Your browser opens a real popup window — a separate OS-level window with its own address bar
You authenticate with Google in that window
Google sends a token back to the website
You’re logged in

That popup is a real browser window. You can drag it, resize it, click its address bar, check the certificate. It’s completely separate from the page you came from.

The BitB Attack

An attacker builds a malicious website that — when you click “Sign in with Google” — instead shows a fake popup window made entirely of HTML and CSS.

<!-- This is NOT a real browser window — it's HTML drawn on the page -->
<div class="popup-window">
  <div class="address-bar">
    <div class="lock-icon">🔒</div>
    <div class="url">accounts.google.com</div>  <!-- completely fake -->
  </div>
  <iframe src="https://attacker.com/fake-google-login"></iframe>
</div>

The result looks identical to a real Google login popup. The “address bar” shows accounts.google.com. There’s a padlock. The Google logo is there. The form fields work. Everything looks right.

When you enter your credentials, they go to the attacker’s server — not Google.

Why It’s So Convincing

Three reasons BitB fools people:

1. The context is correct. You clicked “Sign in with Google” — of course a Google popup appeared. The expectation was set before you even saw the fake window.

2. The URL looks right. The address bar in the fake popup can show any string the attacker wants. accounts.google.com, login.microsoftonline.com, even a padlock icon — it’s all just text in a div.

3. It behaves like a real popup. Good BitB implementations make the fake window draggable around the screen. You can “move” it, just like a real OS window. This kills one of the few instinctive checks users make.

Technical Details: What Makes It Work

The original BitB technique was documented by security researcher mr.d0x in March 2022 and published with ready-to-use templates on GitHub. The toolkit renders fake popup windows that match Chrome, Firefox, and Safari styling on both Windows and macOS.

The key elements:

Component	What it is	What makes it convincing
Window chrome	CSS-styled div	Matches OS and browser UI exactly
Address bar	Plain text input (disabled)	Shows any URL the attacker sets
Padlock icon	Unicode character or SVG	Looks identical to HTTPS indicator
Login form	iframe to attacker server	Fully functional credential capture
Draggability	JavaScript `mousedown` events	Mimics real OS window behavior

The attacker has full control over every visual element. There’s no technical constraint preventing the fake address bar from showing accounts.google.com — it’s just a string.

Real-World Attacks

BitB moved from research to active exploitation quickly.

Steam Account Theft (2022–2025)

The gaming platform Steam became an early prime target. Attackers set up fake gaming tournament sites and Discord communities, then used BitB to show a convincing “Sign in with Steam” popup. CS2 (Counter-Strike 2) players were specifically targeted in campaigns documented through 2025 — lured with promises of free skins or tournament invites, then losing their Steam accounts.

Steam accounts with rare skins can be worth thousands of euros on grey markets, making them high-value targets.

In early 2026, BitB attacks targeting Facebook credentials surfaced. Victims received emails claiming they’d violated copyright by posting content. The email linked to a page that showed a BitB popup mimicking Facebook’s login — designed to capture credentials for account takeover.

Sneaky2FA PhaaS Kit (November 2025)

This is where it gets serious for enterprise defenders. Sneaky2FA — a phishing-as-a-service (PhaaS) kit sold to criminal operators — added BitB capabilities in late 2025. The kit now uses BitB popups to steal Microsoft 365 credentials and active session tokens.

This means BitB is no longer just a red team technique — it’s a commodity attack available to anyone willing to pay for a PhaaS subscription. The barrier to entry dropped to near zero.

How to Spot a BitB Attack

Spotting a BitB popup in real time is genuinely difficult. Here’s what to check:

What Real Browser Popups Can Do

A real browser popup is an OS-level window. That means:

You can see it in your taskbar / dock as a separate application instance
You can drag it outside the boundaries of the browser window it came from
Clicking the address bar lets you type and navigate
Right-clicking the address bar gives you browser context menu options

What BitB Popups Cannot Do

A BitB popup is HTML drawn on a webpage. That means:

It cannot escape the browser window. Try dragging it past the edge of the browser — if it stops at the browser boundary, it’s fake.
The address bar isn’t real. Click it and try to type. If nothing happens or it’s just visual, it’s fake.
It disappears if you zoom the page. Press Ctrl+/- to zoom — a real popup stays the same size, a BitB window scales with the page.
Right-clicking shows webpage context menu. Right-click anywhere in the popup — if you see “Inspect Element” or browser page options instead of browser chrome options, it’s a div.

The Zoom Test

The most reliable quick check: press Ctrl+ or Ctrl+- to zoom the browser page. A real popup window is independent — it doesn’t scale. A BitB popup is part of the page — it scales with everything else. This takes two seconds and definitively distinguishes real from fake.

Defense: What Actually Helps

Password Managers (High Effectiveness)

A password manager is the most reliable defense against BitB. When you use a fake popup, the credential form lives at attacker.com, not accounts.google.com. The password manager checks the actual domain — not the displayed URL in the fake address bar. It won’t autofill on the wrong domain.

This works even when a human can’t tell the difference.

Action: Use a password manager (Bitwarden, 1Password, or your browser’s built-in). Enable autofill. If autofill doesn’t trigger, treat it as a warning sign.

Hardware Security Keys (Highest Effectiveness)

FIDO2 hardware keys (YubiKey, Google Titan) are phishing-resistant by design. The key cryptographically verifies the origin domain before authenticating. A BitB popup showing accounts.google.com on attacker.com fails the origin check — authentication is refused, no matter what the attacker does.

This is the gold standard protection. Even if a user falls for the fake popup completely, the hardware key will not authenticate on the wrong domain.

Action: For high-value accounts (email, corporate SSO, financial), use a FIDO2 hardware key.

Passkeys (High Effectiveness)

Passkeys work on the same FIDO2 principle as hardware keys — they bind to the real domain and refuse to authenticate on fakes. See our passkeys guide for implementation details.

Browser Extensions

uBlock Origin blocks many malicious domains before the BitB popup appears
Anti-Phishing browser extensions (e.g., Netcraft) flag known phishing infrastructure
These help but aren’t foolproof — a fresh attacker domain won’t be on blocklists yet

User Training

Train users on two things:

The zoom test — press Ctrl+/- when you see a login popup. Real windows don’t scale.
Verify by dragging — try to drag the popup outside the browser window boundary. Fake ones stop at the edge.

These are simple, fast, and don’t require technical knowledge.

For Defenders: Detection Signals

BitB attacks are hard to detect at the network level — the victim authenticates through a legitimate-looking flow. Focus on anomaly detection:

Entra ID / Azure AD sign-in logs

Sign-ins from unexpected locations or devices immediately after a credential entry
New device registrations following unusual sign-in patterns
Impossible travel alerts (sign-in from two countries within minutes)

Email gateway

URLs in emails leading to newly registered domains
Domains mimicking SSO providers (g00gle-login[.]com, microsoftonline-auth[.]net)
HTML attachments containing JavaScript redirect chains

Endpoint

Browser processes spawning credential-submission requests to unknown domains
Users visiting newly registered domains containing “login”, “auth”, “sso” in the path

KQL — Entra ID: New device after credential submission (Sentinel)

SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType == 0
| summarize FirstSeen = min(TimeGenerated), Count = count() by UserPrincipalName, DeviceDetail.deviceId
| where FirstSeen > ago(1h)
| where Count == 1  // device seen for the first time

The Bigger Picture

BitB is one piece of a broader trend: attackers attacking the trust signals users rely on. The address bar used to be the reliable truth — now it can be faked. The padlock used to mean “safe” — now it just means the connection is encrypted, not that the destination is legitimate.

The defenses that actually work — password managers, hardware keys, passkeys — share a common property: they don’t rely on human visual inspection. They check the real domain cryptographically.

Training users to recognize BitB is useful. But the strongest defense is removing the human judgment from the authentication equation entirely.

What You Can Do Today

If you’re an individual:

Enable a password manager and use autofill — if it doesn’t fill, pause
Use a hardware key or passkey for Google, Microsoft, and any critical accounts
Learn the zoom test: Ctrl+/- on any suspicious popup

If you’re defending an organization:

Enforce FIDO2 / phishing-resistant MFA for all users (Conditional Access in Entra ID)
Deploy email gateway filtering for newly registered domains
Add BitB to your security awareness training with live demos
Monitor Entra ID sign-in logs for new device registrations and impossible travel

AiTM Phishing and MFA Bypass with Evilginx — the reverse proxy approach to the same problem: stealing session tokens after legitimate authentication
Entra ID Attacks: Device Code Phishing, PRT Theft, and Conditional Access Bypass — another MFA-bypass technique targeting Microsoft identity infrastructure
ClickFix and PasteJacking Attacks Explained — social engineering attacks that abuse browser trust in a different way
Passkeys and FIDO2: The Passwordless Authentication Guide — why passkeys are the strongest defense against phishing attacks like BitB