Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to intelligence
phishing-campaign-intelligenceidentity-impersonation-fraudcredential-access-methodcybercrime-service-ecosystem

Phishing-as-a-Service 'Sneaky 2FA' Kit Enables Browser-in-the-Browser Credential Theft

Updated 2d agoFirst seen Nov 19, 20255 sources

Threat actors are leveraging a Phishing-as-a-Service (PhaaS) kit called Sneaky 2FA to deploy advanced Browser-in-the-Browser (BitB) phishing attacks. This kit allows attackers to create highly convincing fake browser pop-up windows that closely mimic legitimate sign-in prompts, including a forged address bar displaying authentic-looking URLs. The technique is designed to deceive users into entering their credentials, which are then exfiltrated to the attacker. Security researchers have observed these attacks targeting Microsoft account credentials, with the kit's obfuscated code and anti-analysis features making detection and mitigation more challenging.

The Sneaky 2FA kit is available on criminal marketplaces, enabling even less-skilled threat actors to launch sophisticated phishing campaigns at scale. Attackers often use additional evasion tactics, such as bot protection checks (e.g., Cloudflare Turnstile) and CAPTCHAs, to filter out automated security tools before presenting the fake login window to real users. Experts recommend using password managers, which can help detect these fake forms by refusing to autofill credentials on non-legitimate login pages, as a key defense against such deceptive phishing techniques.

Share:
Phishing-as-a-Service 'Sneaky 2FA' Kit Enables Browser-in-the-Browser Credential Theft
Stay ahead

Get ahead of threats like this

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.

EVENT TIMELINE

How this story unfolded

3 events from the most recent confirmed update back to the earliest known activity.

3 EVENTS
Nov 18, 20258mo ago

Multiple outlets publicize Sneaky 2FA's new BiTB capability

News outlets including The Hacker News, Malwarebytes, SC Media, BleepingComputer, and CSO Online published reports highlighting the updated Sneaky 2FA kit's use of Browser-in-the-Browser phishing to create convincing fake sign-in windows. The coverage emphasized the growing sophistication and accessibility of phishing-as-a-service tooling.

Push Security details Sneaky 2FA's delivery and evasion tactics

Researchers reported that the attack chain could be triggered from the 'previewdoc[.]us' website, which redirected victims to a subdomain hosting a fake Microsoft login page. They also noted conditional loading, anti-analysis measures, obfuscation, and 'burn-and-replace' URLs designed to improve targeting and evade detection.

Researchers observe updated Sneaky 2FA kit using Browser-in-the-Browser

Security researchers identified a new version of the Sneaky 2FA phishing-as-a-service kit that added Browser-in-the-Browser functionality to mimic legitimate browser login pop-ups and conceal the real phishing URL. The updated kit was observed targeting Microsoft account credentials and MFA codes with fake sign-in windows.

LINKED ENTITIES

Related entities

Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.

8 LINKEDOpen in app
Threat actors
2 linked
Organizations
6 linked
Microsoft CorporationBeauceron SecurityCloudflareKnowbe4Push SecurityGoogle
The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.
Exposure mapping

Map indicators from this story to your assets and identify affected systems in minutes.

Threat actor evidence

Every observed campaign, victim, and pivot linked to actors named in this story.

Associated malware

Malware, exploits, and IOCs connected to the activity described here.

Detection signatures

YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.

Scheduled alerts

Get matching new stories delivered to your team as they break — not the next morning.

AI threads

Ask questions about this story and take action on the answers.

Phishing-as-a-Service 'Sneaky 2FA' Kit Enables Browser-in-the-Browser Credential Theft | Mallory