Browser-in-the-Browser Campaign Targets Microsoft 365 OAuth Logins
Palo Alto Networks Unit 42 reported a Browser-in-the-Browser phishing campaign targeting Microsoft 365 users with fake OAuth sign-in popups embedded inside malicious webpages. The attackers render the window with HTML, CSS, and JavaScript to mimic a legitimate browser authentication prompt, complete with a spoofed Microsoft URL, padlock icon, draggable behavior, and visual tailoring for Windows, macOS, Linux, Chrome, Firefox, Edge, and Safari. The credential-harvesting flow is delivered through a sandboxed iframe, separating the visible lure from the collection mechanism and making investigation more difficult.
Researchers said the campaign uses multiple evasion techniques, including blocking debugging functions, fragmenting keywords and visible strings to bypass filters, and redirecting bots or scanners to a legitimate Microsoft Office help page. Victims who submit credentials can have their Microsoft 365 logins stolen, and attackers may also capture OAuth consent grants or session-like tokens that can preserve access to Microsoft 365 and connected cloud services even after a password reset. Unit 42 published domains linked to the activity and urged defenders to monitor for suspicious active sessions, revoke suspicious tokens, enforce conditional access for managed devices, and adopt phishing-resistant authentication such as passkeys or FIDO2 hardware keys.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Unit 42 reveals evasion tactics and infrastructure linked to the campaign
Unit 42 disclosed that the attackers use anti-analysis techniques such as blocking debugging, fragmenting strings, and redirecting bots or scanners to legitimate Microsoft content to avoid detection. The researchers also published domains associated with the phishing operation and noted the credential-harvesting component is delivered through a sandboxed iframe.
Unit 42 identifies Browser-in-the-Browser phishing targeting Microsoft 365 users
Palo Alto Networks Unit 42 reported a Browser-in-the-Browser phishing campaign that uses fake Microsoft OAuth login popups embedded in malicious webpages to steal Microsoft 365 credentials. The campaign mimics real browser authentication windows with HTML, CSS, and JavaScript and adapts its appearance to the victim's operating system and browser.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
New Browser-in-the-Browser phishing uses fake login popups to steal Microsoft 365 credentials - Help Net Security
helpnetsecurity.com
Open sourceNew Browser-in-the-Browser Phishing Attack to Steal Microsoft 365 Logins - Cyber Security News
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


