How the Attack Works
Security researchers have uncovered a new phishing campaign that targets Microsoft 365 users with a highly convincing fake login window. The attack relies on a technique called Browser in the Browser, where a malicious webpage renders a simulated browser popup using HTML, CSS, and JavaScript. This fake window mimics the legitimate Microsoft OAuth login screen, complete with a spoofed address bar, a padlock icon, and familiar branding.
What makes this attack particularly deceptive is the level of detail in the forgery. The fake popup is draggable across the screen and can adapt its appearance based on the victim’s operating system and browser type. When users click a “Sign in with Microsoft” button on a compromised site, the fake window appears, making it nearly impossible to distinguish from a real authentication prompt. Users who enter their credentials unknowingly hand over their login information to the attackers.
Impact and Scope
The campaign, identified by Unit 42 researchers, goes beyond simple visual mimicry. Attackers have implemented several evasion techniques to bypass security tools. They block debugging attempts, obscure keywords to avoid content filters, and redirect automated scanning bots away from the malicious pages. This allows the phishing infrastructure to remain undetected by standard detection systems while reaching real human targets.
The ultimate goal is to capture the OAuth consent grant, which gives attackers persistent access to Microsoft 365 environments. This stolen token functions like a session cookie, enabling unauthorized access without requiring the victim’s password again. The attack poses a significant threat to organizations relying on Microsoft 365, as compromised credentials can lead to data breaches and further lateral movement within networks.
Source: Cyber Security News
