Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Sneaky 2FA BitB phishing activity

Malware Activity
First reported
Last updated
Happening score
H score 15
2 unique sources, 2 articles

Summary

Hide ▲

The Sneaky 2FA phishing kit has added Browser-in-the-Browser (BitB) pop-ups, making credential theft and Microsoft account takeover easier at scale. Attack chains can start from suspicious URLs such as previewdoc[.]us, where users first face Cloudflare Turnstile checks before being sent to a fake sign-in flow. The fake browser window can show a legitimate-looking Microsoft URL while the victim enters credentials into a phishing page. The same flow can also steal session details, enabling full account takeover.

Related Happenings

CypherLoc phishing-led browser scareware campaign

Campaign
First: 20.05.2026 13:00 Last: 20.05.2026 13:00 Sources 1

About this happening: The **CypherLoc** operation has driven **around 2.8 million attacks** since the start of **2026**, using **phishing emails** to send users to malicious pages that lock browsers an...

Open Happening

EvilTokens Microsoft 365 consent phishing campaign

Campaign
First: 19.05.2026 14:30 Last: 19.05.2026 14:30 Sources 1

About this happening: The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...

Open Happening

W3LL Microsoft 365 adversary-in-the-middle phishing campaign

Campaign
First: 13.04.2026 21:55 Last: 13.04.2026 21:55 Sources 1

About this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...

Open Happening

OAuth device-code phishing campaign targeting SaaS accounts

Campaign
First: 04.04.2026 17:17 Last: 04.04.2026 17:17 Sources 1

About this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...

Open Happening

EvilTokens phishing-as-a-service operation expands device code phishing and BEC

Threat Actor Meta
First: 01.04.2026 22:42 Last: 01.04.2026 22:42 Sources 1

About this happening: **EvilTokens** has been commercialized on **Telegram** as a continuously developed phishing-as-a-service kit, expanding **device code phishing** and **BEC** capabilities at scale....

Open Happening

Timeline

  1. 18.11.2025 20:31 2 articles · 6mo ago

    Sneaky 2FA adds BitB phishing pop-ups

    Initial Disclosure

    Researchers observed the Sneaky 2FA Phishing-as-a-Service kit using Browser-in-the-Browser (BitB) pop-ups to imitate Microsoft sign-in prompts, including a flow that sent users from previewdoc[.]us through Cloudflare Turnstile checks before loading a fake Microsoft login page. The phishing page could exfiltrate entered credentials and session details, while the operators also used obfuscation, disabled browser developer tools, conditional loading, and fast domain rotation to reduce analysis and detection.

    Show sources
    Open in new tab