The Evolution Of Sneaky2FA As A Commercial PhaaS Kit

The phishing threat landscape continues to evolve rapidly, and recent developments highlight how attackers are combining professional cybercrime platforms with realistic visual deception techniques to bypass user confidence and technical controls. A notable example is the recent evolution of the Sneaky2FA phishing-as-a-service (PhaaS) toolkit, which now integrates browser-in-the-browser (BitB) capabilities to steal credentials and session tokens more effectively.

This innovation emerges amid broader activity within the phishing ecosystem, including Microsoft's recent disruption of the large RaccoonO365 operation. Together, these developments demonstrate not only the technical sophistication of modern phishing operations but also the growing accessibility of advanced tools to less skilled cybercriminals, who can now deploy convincing attacks with minimal experience.

In a recently released report by Push Security, Sneaky2FA has operated for some time as a service designed to target Microsoft 365 accounts using attacker-in-the-middle (AiTM) techniques. It works by relaying legitimate authentication sessions between the victim and Microsoft servers, enabling attackers to harvest credentials as well as active session tokens. This approach allows threat actors to take over accounts even when multifactor authentication is enabled.

Recent platform updates show increased sophistication. Researchers have found that attackers now use deceptive BitB pop-ups to mimic legitimate login windows. When users click the "Sign in with Microsoft" button on a lure website, a fake dialog appears. This dialog is actually a carefully styled iframe designed to resemble a separate browser window, including a fabricated address bar that displays a trusted Microsoft domain.

Victims often start on a lure site protected by Cloudflare Turnstile, which blocks automated analysis. After passing Turnstile, users see a login screen with Microsoft branding. The phishing setup relays login requests via a reverse proxy to capture authentication data. BitB pop-ups remove one of the last visual clues for users, replacing the real address bar with a convincing fake that cannot be identified casually.

The Sneaky2FA kit also shows considerable effort in avoiding research and detection. The underlying code is heavily obfuscated (deliberately made difficult to understand), with HTML, CSS, and JavaScript broken into fragmented and encoded elements that make static analysis (code review without running the program) difficult. Even user interface labels and on-screen text are broken with invisible tags to interfere with automated signature matching. Assets, such as icons and graphics, are embedded as encoded elements rather than being referenced externally.

In some cases, the malicious content is selectively shown only to suitable victims, with researchers and automated crawlers redirected to benign pages to minimize exposure. This level of operational security (practices to prevent discovery and analysis) demonstrates that Sneaky2FA is outgrowing the typical reputation of phishing kits as unpolished or easily analyzed tools.

The most striking element of the kit is that it is not restricted to sophisticated threat actors. Access to Sneaky2FA is sold through platforms such as Telegram, enabling even technically inexperienced cybercriminals to deploy professionally engineered phishing campaigns with realistic interfaces, built-in evasion, and support for session hijacking. The result is the democratization of advanced deception capabilities, which were once limited to high-end red-teaming engagements or experienced APT-level operators.

The Mechanics and Impact of Browser-in-the-Browser Phishing

Browser-in-the-browser attacks were widely shown in 2022 by security researcher mr.d0x. He demonstrated that CSS and JavaScript can create a fake login window that mimics a real browser dialog. The technique drew attention because it uses no browser exploit or complex method. Instead, it relies on user expectations. Users are accustomed to new windows for authentication, such as those used with SSO or OAuth. BitB attacks copy this workflow, tricking users into entering credentials in an attacker-controlled iframe.

The deceptive window can be visually indistinguishable from a real browser dialog. Attackers replicate the interface of Chrome, generate a persuasive address bar, and match the look and feel of the victim's operating system and preferred browser. This includes variations between platforms such as Windows Edge, Chrome, or macOS Safari. The result is a phishing environment that visually passes all the traditional checks that security training encourages users to perform.

If a user attempts to drag the pop-up, nothing in the UI exposes the deception, because it is not an independent instance but rather an element within the page. Once credentials are entered, they are relayed to a legitimate Microsoft login endpoint in real-time, allowing the attacker to extract both the username and password, along with any session tokens issued during authentication.

The effectiveness of the technique becomes even more serious when paired with AiTM tactics. Instead of merely collecting passwords for reuse at a later time, attackers can immediately establish an authenticated session that bypasses multifactor authentication requirements. This means that traditional preventive mechanisms such as one-time tokens, SMS codes, or authenticator apps lose their protective value once the session has been hijacked.

The inclusion of this methodology within Sneaky2FA marks a significant milestone, as BitB attacks have transitioned from interesting proof-of-concept demonstrations to widespread real-world threat activity. The success of this transition reflects both attacker agility and the weaknesses of traditional user-facing security controls that rely on visual inspection or domain recognition.

These developments with Sneaky2FA unfold against the backdrop of broader shifts in the phishing ecosystem. In partnership with Cloudflare, Microsoft recently disrupted a major operation known as RaccoonO365, also referred to as Storm-2246. This PhaaS platform provided turnkey phishing services to cybercriminals worldwide and had allegedly stolen at least 5,000 Microsoft 365 credentials across 94 countries.

The service operated on a subscription basis, with tiered plans priced between several hundred and several thousand dollars, payable in cryptocurrency. Subscribers were provided not only with phishing kits and hosting infrastructure but also with automated attack chains, CAPTCHA protection, and logic to block security researchers and automated scanners.

The scale of the takedown was significant. Microsoft obtained a court order from the U.S. District Court for the Southern District of New York that enabled the seizure of 338 domains associated with the operation. Investigators also publicly identified an alleged operator, Joshua Ogundipe, who is believed to have managed the service while concealing his identity and generating substantial revenue from subscriptions.

In conclusion, the integration of browser-in-the-browser capabilities into the Sneaky2FA PhaaS platform shows that phishing operations are shifting into a new phase. Attackers can now deploy highly realistic and evasive login windows that are nearly indistinguishable from genuine browser dialogs. When combined with attacker-in-the-middle techniques, these attacks undermine credential-based authentication and render many defensive controls less effective.

Notably, Microsoft's disruption of the RaccoonO365 platform demonstrates that defenders are not passive in this new landscape, and large-scale actions can meaningfully disrupt criminal infrastructure.