Browser-in-the-Browser Phishing Campaigns Targeting Facebook Credentials
Threat actors have increasingly used the browser-in-the-browser (BitB) technique to steal Facebook credentials, leveraging fake in-browser pop-up login windows that closely mimic legitimate authentication flows. Trellix reported that recent campaigns commonly start with phishing emails impersonating law firms issuing copyright infringement warnings, threats of imminent account suspension, or Meta security alerts about suspicious logins; these lures often include shortened links and fake Meta CAPTCHA pages to add legitimacy before presenting the counterfeit login prompt.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Trellix discloses details of Facebook-focused BitB phishing campaigns
Trellix publicly reported that attackers were using iframe-rendered fake browser pop-up windows to mimic legitimate Facebook authentication flows and steal credentials. The company also described related tactics including URL shorteners, fake Meta Privacy Center pages, and appeal forms used to collect personal information.
Threat actors ramp up BitB phishing to steal Facebook credentials
Over roughly the six months preceding Trellix's January 2026 reporting, multiple threat actors increasingly used browser-in-the-browser phishing pages to capture Facebook logins. The campaigns used lures such as copyright infringement notices, account suspension warnings, and Meta security alerts, often hosted on platforms like Netlify and Vercel and paired with fake Meta CAPTCHA or appeal pages.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


