Security researchers at Push Security are warning that Sneaky2FA, an advanced phishing-as-a-service (PhaaS) kit, has released a significant update that integrates Browser-in-the-Browser deception with real-time adversary-in-the-middle (AiTM) capabilities.
The upgrade enables attackers to display a fake authentication pop-up that replicates Microsoftโs real login window, including the address bar. The fake window even adapts to the userโs device and browser, matching the appearance of Edge on Windows or Safari on macOS. Further, the upgrade makes Sneaky2FA even harder to spot and even more effective at bypassing multi-factor authentication (MFA).
How The Attack Works
The attack begins when a victim clicks on a phishing link, often hosted on domains like โpreviewdoc[.]us.โ Before seeing anything suspicious, the user is made to complete a Cloudflare Turnstile check โ a tactic that prevents security bots from accessing their web pages to be able to analyse them.
After passing the Cloudflare Turnstile bot-check, the page redirects to a subdomain of previewdoc[.]us, which prompts the user to โSign in with Microsoftโ to view an Adobe-style document. To open the file, users are told to โSign in with Microsoft.โ
Upon clicking โSign in with Microsoft,’ the BitB pop-up appears, showing what looks like a Microsoft-branded login screen complete with a convincing address bar. The pop-up window automatically adjusts to the victimโs operating system and browser, making it nearly indistinguishable from the real thing.
Behind the scenes, the attackerโs reverse-proxy engine loads the genuine Microsoft login flow, silently capturing the username, password, and active session token โ allowing attackers to access the account even if the victim has 2FA enabled.
Multiple Layers Of Evasion Built In
Sneaky2FAโs newest version is built for stealth, using multiple layers of evasion to avoid both scanners and human analysts. It blocks automated crawlers with Cloudflare Turnstile and CAPTCHA checks, and redirects visitors from security firms or suspicious IPs to harmless sites like Wikibooks. Its code is heavily obfuscated, with scrambled HTML and JavaScript, fragmented text, and images replacing key elements to defeat pattern-based detection tools.
The kit can even disable or interfere with browser debugging tools to prevent analysts from viewing source code. Attackers also rotate through short-lived, abandoned, or compromised domains with long, randomized URLs that disappear after a few days, making the phishing pages difficult to track or blacklist.
โAttackers are continuously innovating their phishing techniques, particularly in the context of an increasingly professionalized PhaaS ecosystem. With identity-based attacks continuing to be the leading cause of breaches, attackers are incentivized to refine and enhance their phishing infrastructure,โย explain the researchers in a blog post published on Tuesday.
Part Of A Wider PhaaS Evolution
Sneaky2FA is the latest phishing kit to adopt BitB, following similar moves by Raccoon0365 and other AiTM toolkits like Tycoon2FA and Mamba2FA. Analysts warn that phishing-as-a-service operations are rapidly evolving, as attackers seek more reliable ways to defeat MFA and blend into legitimate login flows.
Push Security confirmed that its browser-based detection system successfully identified the Sneaky2FA BitB kit in real time, blocking the phishing attempt before credentials could be stolen. However, it warns that traditional security tools that depend on signatures or domain checks will continue to struggle.
