New Phishing Weapon Bypasses 2FA: The Draggable Fake Browser That Steals Everything + Video

Introduction:

A novel “Browser-in-the-Browser” (BitB) phishing campaign has been discovered by Palo Alto Networks Unit 42, leveraging a draggable, OS-fingerprinted fake browser pop-up that mimics legitimate OAuth login windows with alarming precision. This sophisticated attack evades traditional security controls by hijacking console methods, fragmenting keywords, and redirecting bots, representing a significant evolution in credential harvesting techniques that can bypass multi-factor authentication (MFA).

Learning Objectives:

– Understand the mechanics of Browser-in-the-Browser (BitB) attacks and their evasion techniques, including console hijacking and text fragmentation.
– Learn to detect BitB phishing campaigns using manual inspection methods, browser extensions, and network-level indicators.
– Implement defensive strategies, including OAuth hardening, conditional access policies, and user training to mitigate the risk of BitB-based credential theft.

You Should Know:

1. Dissecting the Draggable Deception: How BitB Attacks Work

The BitB technique exploits the inherent trust users place in browser pop-up windows. Unlike traditional phishing pages that display a fake login form directly on a webpage, BitB creates an HTML/CSS/JavaScript overlay that perfectly replicates an operating system’s native browser window, complete with a forged address bar and window controls.

What makes the Unit 42-discovered campaign particularly dangerous is its use of fingerprinting and anti-debugging to evade both user scrutiny and security analysis. The attackers’ JavaScript code detects the victim’s operating system (Windows, Mac, or Linux) via `navigator.userAgent` and `navigator.platform`, and the browser type (Chrome, Firefox, Edge, or Safari) through a dedicated function. The fake window then applies matching CSS classes, ensuring that the rendered pop-up’s visual style—including buttons, fonts, and spacing—appears native to the victim’s actual environment.

To defeat security researchers and automated scanners, the attackers have implemented multiple evasion layers. All seven console methods (`log`, `warn`, `info`, `error`, `debug`, `table`, `trace`) are overridden to prevent analysis via browser Developer Tools. The page also uses the `Function(‘return (function(){}.constructor(“return this”)()’)` pattern to obtain the global object without directly referencing `window`, bypassing static analysis tools that scan for this common variable.

Step-by-step guide to manually identify a BitB attack in progress:

1. Attempt to drag the pop-up window outside the browser tab’s viewport. A genuine browser window can be dragged anywhere on your desktop. If the pop-up cannot escape the boundaries of the browser tab, it is almost certainly a fake BitB overlay.
2. Inspect the window’s behavior when minimizing or resizing. Try to minimize the suspected fake window using its title bar button or by clicking on your actual OS taskbar. BitB overlays often have non-functional or incorrectly implemented window controls.
3. Right-click inside the pop-up window and select “Inspect” or “Inspect Element.” If the browser’s Developer Tools panel opens and highlights HTML `div` or `iframe` elements instead of the expected page structure, you have identified a malicious overlay.
4. Use your browser’s built-in password manager or a third-party extension like Bitwarden. These tools typically only auto-fill credentials on verified, legitimate domains. If auto-fill does not trigger on the pop-up, it is a strong indicator of a fraudulent page.
5. Copy the URL from the fake address bar and manually paste it into a new browser tab. A real OAuth login URL will load the legitimate service’s page. A BitB attack will either fail to load or redirect to a different, potentially benign-looking page.
6. For security professionals, use a manual detection script in the browser’s console. Copy and paste the following JavaScript code into the Developer Tools Console while the suspicious page is active. It checks for overridden console methods and attempts to detect overlays.

Detection Script (Run in Browser Console):

// BitB Detection Script
function checkConsoleHijacking() {
const methods = ['log', 'warn', 'info', 'error', 'debug', 'table', 'trace'];
let hijacked = [];
methods.forEach(method => {
if (console[bash].toString().includes('[native code]') === false) {
hijacked.push(method);
}
});
if (hijacked.length > 0) {
console.warn(`Possible BitB: Overridden console methods detected: ${hijacked.join(', ')}`);
} else {
console.log("Console methods appear normal.");
}
}

function detectFakeOverlay() {
let overlays = document.querySelectorAll('div[style="position: fixed"], div[style="position: absolute"]');
overlays.forEach(overlay => {
let style = window.getComputedStyle(overlay);
if (style.zIndex > 999 && (overlay.innerText.includes('Sign in') || overlay.innerHTML.includes('iframe'))) {
console.warn("Suspicious high-z-index overlay with login form detected!");
}
});
}

checkConsoleHijacking();
detectFakeOverlay();

2. Text Fragmentation and Obfuscation: Bypassing Content Filters

To evade signature-based detection systems that scan for specific text strings, the attackers employ a clever technique called text fragmentation. Visible keywords like “Adobe Acrobat Reader” or “Sign in required” are split with empty `` tags bearing random class names, rendering as “Ado be Acr obat Rea der Si gn in req uired”. This defeats simple string matching without affecting human readability, as the visual spacing remains normal.

Additionally, the campaign uses a bot/scanner redirection mechanism. If the server detects what it believes to be an automated scanner or security crawler, the victim is redirected via `href.li` (a link anonymizer) to a legitimate Microsoft help page. This makes the URL appear benign during automated analysis, causing the scanner to classify the page as safe. The actual credential harvester is loaded in a sandboxed iframe, separating the BitB shell from the malicious payload to further complicate detection and analysis.

Step-by-step guide to analyzing a suspected BitB page using browser DevTools and network monitoring:

1. Open the page in a dedicated, isolated environment (e.g., a virtual machine or a fresh browser profile) to prevent any potential compromise of your main system.
2. Open the browser’s Developer Tools (F12) before the page fully loads. Navigate to the “Network” tab and ensure recording is enabled. Reload the page to capture all network requests.
3. Look for the creation of an iframe with the `sandbox` attribute. In the “Elements” panel, search for `` tags. A sandboxed iframe loading a separate page from a different domain is a key indicator of a BitB attack.<br /> 4. Search for the keyword “href.li” in the recorded network requests. The presence of this link anonymizer, especially when followed by a redirect to a legitimate Microsoft or Google help page, is a clear sign of the evasion technique described by Unit 42.<br /> 5. Locate the primary JavaScript file responsible for generating the fake pop-up. In the “Sources” panel, look for scripts containing obfuscated code, long hexadecimal strings (e.g., `_0x1cebe2`), or calls to `Function` for dynamic code execution.<br /> 6. Analyze the obfuscated JavaScript. Beautify the code using online tools or the browser’s built-in formatting. Search for strings like `navigator.userAgent`, `navigator.platform`, and `console.log`. The presence of overridden console methods and user agent detection functions confirms the attack.<br /> 7. Use the following command in your terminal (Linux/macOS) to perform a static analysis of the page’s HTML source for obfuscated keywords without executing any JavaScript. This can help identify fragmented text strings.</p> <h2 style="color: yellow;">Linux/macOS Terminal Command for Static Analysis:</h2> <pre data-enlighter-language="bash" class="EnlighterJSRAW"> Download the suspicious page's source code (replace with actual URL) curl -s "https://example-suspicious-site.com/phishing-page.html" -o page.html Search for fragmented Adobe Acrobat Reader keyword grep -E "A[a-z]{0,2}?d[a-z]{0,2}?o[a-z]{0,2}?b[a-z]{0,2}?e" page.html Search for common BitB function names grep -E "_0x[0-9a-f]{6}" page.html Extract all JavaScript code blocks for further analysis grep -E "<script[^>]>.?</script>" page.html -o | sed 's/<script[^>]>//g' | sed 's/<\/script>//g' > extracted_scripts.js </pre> <h2 style="color: yellow;">3. OAuth Redirection Abuse: Exploiting Trusted Flows</h2> <p>This BitB campaign is particularly dangerous because it spoofs OAuth authorization URLs, tricking users into believing they are approving a legitimate application’s access to their data. Attackers create malicious OAuth applications with carefully crafted `redirect_uri` parameters that point to their own infrastructure after a user “authenticates.” This is not a theoretical risk; Microsoft researchers have observed active campaigns abusing OAuth redirects to target government users and deliver malware.</p> <p>Even if a user has MFA enabled, the attack can succeed. The victim is presented with what appears to be a normal OAuth consent screen. When they approve, the attacker receives a valid OAuth authorization code or token, granting them persistent access to the victim’s cloud resources. This access often persists even after a password change, making OAuth token abuse a severe post-exploitation risk.</p> <p>Step-by-step guide to hardening OAuth applications and monitoring for abuse:</p> <p>1. Audit all application registrations in your Entra ID (Azure AD) or Google Workspace environment. Enforce an allow-list for redirect URIs to reduce the risk of malicious or misconfigured integrations.<br /> 2. Regularly review each OAuth application’s purpose, permissions, and granted scopes. Remove any application that is unused or over-privileged. Pay special attention to applications requesting high-impact permissions like `Mail.Read` or `Files.ReadWrite.All`.<br /> 3. Limit user consent to low-impact permissions or restrict consent entirely to administrators. In Entra ID, configure the “User consent to applications” setting to “Allow user consent for apps from verified publishers, for selected permissions” and add only trusted publishers.<br /> 4. Configure Conditional Access policies to block or require MFA for OAuth application sign-ins from high-risk locations or non-compliant devices.<br /> 5. Enable OAuth application audit logs and set up monitoring for unusual patterns. Using Microsoft Graph PowerShell or Azure Monitor, query for newly created service principals and applications with high-risk permissions.</p> <h2 style="color: yellow;">Microsoft Graph PowerShell Commands for OAuth Audit:</h2> <pre data-enlighter-language="bash" class="EnlighterJSRAW"> Connect to Microsoft Graph (requires appropriate admin roles) Connect-MgGraph -Scopes "Application.Read.All", "AuditLog.Read.All" List all OAuth applications (service principals) with high-risk permissions Get-MgServicePrincipal -All | Where-Object { $_.AppRoles -match "Mail.Read|Files.ReadWrite.All|User.Read.All" } | Format-List DisplayName, AppId, AppRoles Retrieve audit logs for new OAuth application consent grants in the last 7 days Get-MgAuditLogDirectoryAudit -Filter "ActivityDateTime ge 2026-06-01 and ActivityDisplayName eq 'Consent to application'" | Format-List ActivityDateTime, TargetResources, InitiatedBy Get all application instances that have been granted to users in your tenant Get-MgUser -All | Select-Object -First 1 | Get-MgUserAppRoleAssignment | Format-List </pre> <p>Linux/macOS Command to Query OAuth Token Endpoints (for API security testing):</p> <pre data-enlighter-language="bash" class="EnlighterJSRAW"> Send a POST request to a token endpoint (for testing your own authorized applications only) Replace client_id, client_secret, and code with valid values from your test environment curl -X POST https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "client_id=YOUR_CLIENT_ID" \ -d "client_secret=YOUR_CLIENT_SECRET" \ -d "code=AUTHORIZATION_CODE" \ -d "redirect_uri=YOUR_REGISTERED_REDIRECT_URI" \ -d "grant_type=authorization_code" Analyze the response for validity and unintended permissions </pre> <h2 style="color: yellow;">4. Defensive Measures: Detection, Mitigation, and Response</h2> <p>Combating BitB attacks requires a multi-layered approach that combines user education, technical controls, and proactive threat hunting. Since BitB attacks operate entirely within the browser, traditional email and web gateways may not be sufficient. Organizations must focus on browser-1ative defenses and identity-centric security.</p> <p>Several detection methods are currently available. Browser extensions like “PhishWatch” can detect DOM overlay patterns consistent with BitB window spoofing, including fake URL bars, window controls, and embedded credential forms. Academic research has also proposed detection systems (e.g., BitD) that can identify BitB attack pages on both macOS and Windows by analyzing browser behavior patterns.</p> <p>Step-by-step guide to implementing a defense-in-depth strategy against BitB:</p> <p>1. Deploy a browser extension specifically designed for BitB detection. Install and configure an extension like PhishWatch or a similar tool that actively scans for fake overlay patterns.<br /> 2. Implement conditional access policies that require compliant devices. By ensuring that only managed, healthy devices can access corporate resources, you add a layer of protection even if credentials are stolen.<br /> 3. Conduct regular, simulated BitB phishing exercises to train users. Create a controlled environment where employees experience a fake BitB prompt and learn to identify the indicators (non-draggable window, inspection showing HTML, etc.).<br /> 4. Enable Microsoft Defender for Office 365’s Safe Links and Safe Attachments to scan and block malicious URLs, even those that use redirection techniques. Configure policies to apply these protections to links in email messages, Teams chats, and Office files.<br /> 5. Use a Web Isolation or Remote Browser Isolation (RBI) solution. These technologies execute web content in a secure, isolated container, preventing malicious pages from ever reaching the user’s local browser.<br /> 6. Monitor for OAuth abuse using your SIEM. Ingest logs from Entra ID, Google Workspace, and Okta. Create alerts for the following high-risk activities:<br /> – Creation of a new service principal or application from an unusual location or by a non-admin user.<br /> – Consent grant to an application requesting high-risk permissions, especially if the application has no verified publisher.<br /> – A single user granting consent to multiple new applications in a short time window.<br /> – OAuth token usage from an unexpected IP address or location.<br /> 7. Use Microsoft 365 Defender or Google Workspace Alert Center to investigate and revoke unauthorized OAuth grants. For advanced hunting, use Kusto Query Language (KQL) in Microsoft 365 Defender to search for BitB-related activity.</p> <p>KQL Query for Microsoft 365 Defender to Hunt for OAuth Anomalies:</p> <pre data-enlighter-language="bash" class="EnlighterJSRAW"> let high_risk_permissions = dynamic(["Mail.Read", "Files.ReadWrite.All", "User.Read.All", "offline_access"]); AADSignInEventsBeta | where Application != "" and Application != "Office 365 Exchange Online" | where ConditionalAccessStatus != "success" | where ErrorCode in (50076, 50079) // MFA required or not satisfied | join kind=inner ( AADAppEvents | where ActionType == "Consent to application" | extend ParsedPermissions = parse_json(TargetResources[bash].ModifiedProperties) | mv-expand ParsedPermissions | where ParsedPermissions.Name == "Permissions granted" | extend PermissionsGranted = tostring(ParsedPermissions.NewValue) | where PermissionsGranted has_any (high_risk_permissions) ) on $left.AccountUpn == $right.TargetResources[bash].UserPrincipalName | project Timestamp, AccountUpn, Application, ApplicationId, PermissionsGranted, IPAddress, UserAgent </pre> <h2 style="color: yellow;">5. Windows, Linux, and Network-Level Response Commands</h2> <p>When a BitB attack is suspected or confirmed, immediate action is required to contain the incident, block malicious domains, and prevent further compromise. The following commands provide a rapid-response toolkit for system administrators and security analysts.</p> <p>Step-by-step guide to containing a live BitB threat and blocking indicators:</p> <p>1. Isolate the affected endpoint from the network immediately. For Windows devices, disable the network adapter or run the following PowerShell command as Administrator to block all outbound traffic.</p> <h2 style="color: yellow;">Windows PowerShell (Admin) – Network Isolation:</h2> <pre data-enlighter-language="bash" class="EnlighterJSRAW"> Immediately block all outbound traffic from the machine New-1etFirewallRule -DisplayName "EMERGENCY_BLOCK_ALL_OUTBOUND" -Direction Outbound -Action Block Flush DNS cache to remove potentially malicious entries Clear-DnsClientCache Terminate all browser processes Get-Process chrome, firefox, msedge, iexplore, opera | Stop-Process -Force </pre> <p>2. On Linux systems, use iptables or nftables to block network access and prevent the compromised browser from communicating with command-and-control (C2) servers.</p> <h2 style="color: yellow;">Linux Commands (as root):</h2> <pre data-enlighter-language="bash" class="EnlighterJSRAW"> Block all outbound traffic (adjust interface name as needed) iptables -A OUTPUT -j DROP Flush DNS cache systemd-resolve --flush-caches For systemd-based systems OR sudo killall -HUP nscd For systems using nscd Kill all browser processes pkill -9 chrome firefox opera brave After isolation, log the running processes for forensics ps auxf > /tmp/process_list.txt </pre> <p>3. Block the identified malicious domains at the network level. Using the indicators from the Unit 42 report, add these domains to your firewall, DNS filter, or proxy server’s block list. Below are Python and Bash scripts to check if a domain is present in a page’s source, which can be adapted for automated monitoring.</p> <p>Python Script to Check for Compromised Domains in Network Logs:</p> <pre data-enlighter-language="bash" class="EnlighterJSRAW"> import re import sys List of malicious domains from Unit 42 report (example format, replace with actual) malicious_domains = [ r"generationyinternainteractiveagency\[.\]vu", r"href\[.\]li", Add additional domains as discovered ] def scan_log_file(file_path): with open(file_path, 'r') as f: for line_num, line in enumerate(f, 1): for domain_pattern in malicious_domains: if re.search(domain_pattern, line, re.IGNORECASE): print(f"ALERT: Malicious domain pattern '{domain_pattern}' found at line {line_num}") print(f"Line content: {line.strip()}") if __name__ == "__main__": if len(sys.argv) != 2: print("Usage: python bitb_scanner.py <path_to_network_log>") sys.exit(1) scan_log_file(sys.argv[bash]) </pre> <p>4. For advanced mitigation, implement a browser security baseline using Group Policy Objects (GPO) on Windows or configuration profiles on macOS. Enforce settings such as disabling external protocol requests, managing extension installation, and blocking third-party cookies.</p> <p>Windows Group Policy Settings to Mitigate BitB (via gpedit.msc or Intune):</p> <p>– Disable JavaScript access to the clipboard: Navigate to `Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone > Allow Programmatic Clipboard Access`. Set to “Disable.”<br /> – Restrict drag and drop of content across origins: Search for policy related to “Turn off drag and drop or copy and paste of files” and enable it.<br /> – Block the use of browser extensions from untrusted sources: Set the policy for “Control which extensions are installed silently” to block all extensions not on an explicit allow-list.<br /> – Manage the browser’s built-in password manager: Disable the browser’s ability to save passwords to reduce the risk of credential exposure.</p> <h2 style="color: yellow;">What Undercode Say:</h2> <p>– The Browser-in-the-Browser attack represents a fundamental shift in phishing, moving from simple fake pages to authentic-looking overlays that leverage advanced evasion techniques. Its ability to mimic OAuth flows directly undermines the trust users place in modern authentication protocols, including MFA.<br /> – The integration of fingerprinting, console hijacking, and text fragmentation demonstrates a mature, threat-actor mindset focused on defeating both security tools and human scrutiny. The use of a sandboxed iframe and bot redirection further complicates analysis, requiring defenders to adopt more sophisticated detection and response strategies.</p> <h2 style="color: yellow;">Analysis (Approx. 10 lines):</h2> <p>The evolution of BitB campaigns, as detailed by Unit 42, highlights the growing sophistication of phishing-as-a-service (PhaaS) offerings and the commoditization of advanced attack techniques. Traditional security awareness training that focuses on checking URLs and looking for HTTPS may no longer be sufficient. The attack’s reliance on client-side JavaScript and OAuth flows places the burden of defense squarely on browser and identity security. Mitigation requires a layered approach that includes behavioral detection, browser hardening, strict OAuth governance, and continuous monitoring for anomalous consent grants. As attack toolkits like Sneaky2FA and Tycoon 2FA continue to integrate BitB capabilities, the bar for entry for cybercriminals lowers, leading to wider adoption. Defenders must prioritize the deployment of real-time detection tools and adopt a “never trust, always verify” mindset for all browser-based authentication windows.</p> <h2 style="color: yellow;">Prediction:</h2> <p>– -1: BitB attacks will increasingly be combined with AI-generated content to produce highly personalized, context-aware phishing lures, making them significantly harder to distinguish from legitimate communications.<br /> – -1: As more organizations adopt passwordless authentication (e.g., FIDO2 keys), attackers will shift their focus to stealing session cookies and OAuth tokens via BitB, rendering MFA less effective as a standalone defense.<br /> – +1: Browser vendors will be forced to implement native security features specifically designed to detect and block BitB overlays, potentially by restricting DOM manipulation by untrusted scripts or by improving the security of the browser’s pop-up API.<br /> – -1: The integration of BitB techniques into phishing kits will lead to an exponential increase in successful account takeovers, particularly targeting high-value SaaS applications like Microsoft 365, Google Workspace, and Salesforce.<br /> – +1: The emergence of AI-powered browser extensions and endpoint detection and response (EDR) agents that can analyze browser behavior in real-time will provide defenders with a crucial tool to identify and stop BitB attacks at the point of execution.<br /> – -1: The use of legitimate OAuth flows and sandboxed iframes by attackers will continue to evade traditional sandboxing and detection technologies, as these elements are not inherently malicious. This will force a re-evaluation of how security tools classify “normal” browser behavior.<br /> – +1: Increased collaboration between identity providers (IdPs) and browser vendors may lead to standardized APIs that allow IdPs to verify the authenticity of a browser window before an OAuth consent is granted, directly disrupting the BitB attack chain.</p> <h2 style="color: yellow;">▶️ Related Video (84% Match):</h2> <div class="ast-oembed-container " style="height: 100%;"><iframe data-placeholder-image="https://undercodetesting.com/wp-content/uploads/complianz/placeholders/youtubecKvFBLtgE7c-maxresdefault.webp" data-category="marketing" data-service="youtube" class="cmplz-placeholder-element cmplz-iframe cmplz-iframe-styles cmplz-video " data-cmplz-target="src" data-src-cmplz="https://www.youtube.com/embed/cKvFBLtgE7c?feature=oembed" title="Phishing Techniques: Browser-in-the-Browser (BitB) Adversary-in-the-Middle (AitM) Proxy Kits" width="1200" height="675" src="about:blank" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen>

New Phishing Weapon Bypasses 2FA: The Draggable Fake Browser That Steals Everything + Video

Introduction:

Learning Objectives:

You Should Know:

Detection Script (Run in Browser Console):

2. Text Fragmentation and Obfuscation: Bypassing Content Filters

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

🚀 Request a Custom Project:

IT/Security Reporter URL:

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

📢 Follow UndercodeTesting & Stay Tuned:

Listen to this Post

Introduction:

Learning Objectives:

You Should Know:

Detection Script (Run in Browser Console):

2. Text Fragmentation and Obfuscation: Bypassing Content Filters

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

🚀 Request a Custom Project:

IT/Security Reporter URL:

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

📢 Follow UndercodeTesting & Stay Tuned:

Related Posts: