Hackers just found a way to show you a “perfect” Microsoft or Google login popup with the right logo and a convincing address bar, but the whole thing is fake. It is powered by a phishing kit called Sneaky2FA, which uses a browser‑in‑the‑browser (BitB) trick to steal both your password and your session, even if you use 2FA.
When you click “Sign in with Microsoft” or “Sign in with Google” on a malicious site, the page can draw a fake browser window inside the website using HTML and CSS. It shows what looks like a real URL bar, buttons, and resize behavior, while quietly talking to a backend that captures your login details and cookies as you sign in.
🛡️ Want to go beyond user tips and make sure your team and tools can spot and block sophisticated phishing kits like Sneaky2FA? SkyViewTek can help with training, email security, and sign‑in protections that reduce the chances these attacks ever get in front of your staff. Reach out to Bernie Orglmeister at support@skyviewtek.com or 610‑590‑5006.