Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to intelligence
phishing-campaign-intelligenceidentity-authentication-vulnerabilitycredential-stealer-activitydefense-evasion-method

Browser-in-the-Browser Campaign Targets Microsoft 365 OAuth Logins

Updated 2d agoFirst seen Jun 9, 20262 sources

Palo Alto Networks Unit 42 reported a Browser-in-the-Browser phishing campaign targeting Microsoft 365 users with fake OAuth sign-in popups embedded inside malicious webpages. The attackers render the window with HTML, CSS, and JavaScript to mimic a legitimate browser authentication prompt, complete with a spoofed Microsoft URL, padlock icon, draggable behavior, and visual tailoring for Windows, macOS, Linux, Chrome, Firefox, Edge, and Safari. The credential-harvesting flow is delivered through a sandboxed iframe, separating the visible lure from the collection mechanism and making investigation more difficult.

Researchers said the campaign uses multiple evasion techniques, including blocking debugging functions, fragmenting keywords and visible strings to bypass filters, and redirecting bots or scanners to a legitimate Microsoft Office help page. Victims who submit credentials can have their Microsoft 365 logins stolen, and attackers may also capture OAuth consent grants or session-like tokens that can preserve access to Microsoft 365 and connected cloud services even after a password reset. Unit 42 published domains linked to the activity and urged defenders to monitor for suspicious active sessions, revoke suspicious tokens, enforce conditional access for managed devices, and adopt phishing-resistant authentication such as passkeys or FIDO2 hardware keys.

Share:
Browser-in-the-Browser Campaign Targets Microsoft 365 OAuth Logins
Stay ahead

Get ahead of threats like this

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.

EVENT TIMELINE

How this story unfolded

2 events from the most recent confirmed update back to the earliest known activity.

2 EVENTS
Jun 9, 202622d ago

Unit 42 reveals evasion tactics and infrastructure linked to the campaign

Unit 42 disclosed that the attackers use anti-analysis techniques such as blocking debugging, fragmenting strings, and redirecting bots or scanners to legitimate Microsoft content to avoid detection. The researchers also published domains associated with the phishing operation and noted the credential-harvesting component is delivered through a sandboxed iframe.

New Browser-in-the-Browser Phishing Attack to Steal Microsoft 365 Logins - Cyber Security News

Unit 42 identifies Browser-in-the-Browser phishing targeting Microsoft 365 users

Palo Alto Networks Unit 42 reported a Browser-in-the-Browser phishing campaign that uses fake Microsoft OAuth login popups embedded in malicious webpages to steal Microsoft 365 credentials. The campaign mimics real browser authentication windows with HTML, CSS, and JavaScript and adapts its appearance to the victim's operating system and browser.

New Browser-in-the-Browser Phishing Attack to Steal Microsoft 365 Logins - Cyber Security News
LINKED ENTITIES

Related entities

Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.

12 LINKEDOpen in app
Threat actors
1 linked
Affected products
8 linked
Microsoft 365WindowsSafariFirefoxMacosLinuxChromeMicrosoft Office
Organizations
3 linked
Microsoft CorporationPalo Alto NetworksCyber Security News
The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.
Exposure mapping

Map indicators from this story to your assets and identify affected systems in minutes.

Threat actor evidence

Every observed campaign, victim, and pivot linked to actors named in this story.

Associated malware

Malware, exploits, and IOCs connected to the activity described here.

Detection signatures

YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.

Scheduled alerts

Get matching new stories delivered to your team as they break — not the next morning.

AI threads

Ask questions about this story and take action on the answers.