Phishing-as-a-Service 'Sneaky 2FA' Kit Enables Browser-in-the-Browser Credential Theft
Threat actors are leveraging a Phishing-as-a-Service (PhaaS) kit called Sneaky 2FA to deploy advanced Browser-in-the-Browser (BitB) phishing attacks. This kit allows attackers to create highly convincing fake browser pop-up windows that closely mimic legitimate sign-in prompts, including a forged address bar displaying authentic-looking URLs. The technique is designed to deceive users into entering their credentials, which are then exfiltrated to the attacker. Security researchers have observed these attacks targeting Microsoft account credentials, with the kit's obfuscated code and anti-analysis features making detection and mitigation more challenging.
The Sneaky 2FA kit is available on criminal marketplaces, enabling even less-skilled threat actors to launch sophisticated phishing campaigns at scale. Attackers often use additional evasion tactics, such as bot protection checks (e.g., Cloudflare Turnstile) and CAPTCHAs, to filter out automated security tools before presenting the fake login window to real users. Experts recommend using password managers, which can help detect these fake forms by refusing to autofill credentials on non-legitimate login pages, as a key defense against such deceptive phishing techniques.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Multiple outlets publicize Sneaky 2FA's new BiTB capability
News outlets including The Hacker News, Malwarebytes, SC Media, BleepingComputer, and CSO Online published reports highlighting the updated Sneaky 2FA kit's use of Browser-in-the-Browser phishing to create convincing fake sign-in windows. The coverage emphasized the growing sophistication and accessibility of phishing-as-a-service tooling.
Push Security details Sneaky 2FA's delivery and evasion tactics
Researchers reported that the attack chain could be triggered from the 'previewdoc[.]us' website, which redirected victims to a subdomain hosting a fake Microsoft login page. They also noted conditional loading, anti-analysis measures, obfuscation, and 'burn-and-replace' URLs designed to improve targeting and evade detection.
Researchers observe updated Sneaky 2FA kit using Browser-in-the-Browser
Security researchers identified a new version of the Sneaky 2FA phishing-as-a-service kit that added Browser-in-the-Browser functionality to mimic legitimate browser login pop-ups and conceal the real phishing URL. The updated kit was observed targeting Microsoft account credentials and MFA codes with fake sign-in windows.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Sneaky2FA phishing tool adds ability to insert legit-looking URLs
csoonline.com
Open sourceAttackers are using “Sneaky 2FA” to create fake sign-in windows that look real
malwarebytes.com
Open sourceBitB integrated into updated Sneaky 2FA PhaaS kit
scworld.com
Open sourceSneaky2FA PhaaS kit now uses redteamers' Browser-in-the-Browser attack
bleepingcomputer.com
Open sourceSneaky 2FA Phishing Kit Adds BitB Pop-ups Designed to Mimic the Browser Address Bar
thehackernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


