Sneaky2FA ecosystem shift changes threat-actor operations
Threat Actor Meta
Summary
Hide ▲
Show ▼
Sneaky2FA has added browser-in-the-browser (BitB) lures to its phishing service, increasing its ability to steal Microsoft credentials and active sessions. The new fake Microsoft pop-up makes the existing attacker-in-the-middle (AitM) theft flow more convincing for Microsoft 365 users. The upgrade is paired with conditional loading and obfuscation, which can make the service harder to detect and block.
Related Happenings
O-UNC-066 / Pink Microsoft Entra passkey vishing campaign
Campaign
H score37
First: 08.07.2026 19:47
Last: 08.07.2026 19:47
Sources 1
About this happening:
The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...
O-UNC-066 / Pink Microsoft Entra passkey vishing campaign
CampaignAbout this happening: The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...
Bluekit adopts rrweb-based BitM session streaming for login theft
Technical Analysis
H score34
First: 25.06.2026 18:00
Last: 25.06.2026 18:00
Sources 1
About this happening:
**Bluekit** has added **browser-in-the-middle (BitM)** login theft to its phishing stack, increasing the risk of **session-token theft** and **account takeover**. The mechanism us...
Bluekit adopts rrweb-based BitM session streaming for login theft
Technical AnalysisAbout this happening: **Bluekit** has added **browser-in-the-middle (BitM)** login theft to its phishing stack, increasing the risk of **session-token theft** and **account takeover**. The mechanism us...
Enterprise browser phishing detection gaps leave one in five attacks undetected
Trend
H score29
First: 10.06.2026 18:30
Last: 10.06.2026 18:30
Sources 1
About this happening:
Browser-based phishing is leaving **enterprise users** exposed, with **one in five** attacks going completely undetected across **millions of active browser sessions** from **Janu...
Enterprise browser phishing detection gaps leave one in five attacks undetected
TrendAbout this happening: Browser-based phishing is leaving **enterprise users** exposed, with **one in five** attacks going completely undetected across **millions of active browser sessions** from **Janu...
Securing the browser session layer to reduce enterprise browser-based phishing and session-layer abuse
Defensive Guidance
H score14
First: 10.06.2026 18:30
Last: 10.06.2026 18:30
Sources 1
About this happening:
**Enterprise browser-session hardening** is being emphasized to reduce **browser-based phishing** and **session-layer abuse** across enterprise environments. The guidance targets...
Securing the browser session layer to reduce enterprise browser-based phishing and session-layer abuse
Defensive GuidanceAbout this happening: **Enterprise browser-session hardening** is being emphasized to reduce **browser-based phishing** and **session-layer abuse** across enterprise environments. The guidance targets...
ChatGPT and Claude phishing and malvertising campaign
Campaign
H score36
First: 01.06.2026 12:30
Last: 01.06.2026 12:30
Sources 1
About this happening:
The **ChatGPT**- and **Claude**-themed **phishing and malvertising campaign** is actively steering users to fake download pages that can deliver malware. Attackers are using **Goo...
ChatGPT and Claude phishing and malvertising campaign
CampaignAbout this happening: The **ChatGPT**- and **Claude**-themed **phishing and malvertising campaign** is actively steering users to fake download pages that can deliver malware. Attackers are using **Goo...
Timeline
-
19.11.2025 23:59 2 articles · 7mo ago
Sneaky2FA adds BitB Microsoft login lures
Initial DisclosureSneaky2FA added browser-in-the-browser (BitB) pop-ups that mimic a legitimate Microsoft login window and are used with its existing attacker-in-the-middle (AitM) flow to steal Microsoft credentials and active session tokens from Microsoft 365 accounts. The phishing pages also use conditional loading and heavily obfuscated HTML/JavaScript to reduce detection, while victims are steered through previewdoc[.]com and a Cloudflare Turnstile check before the fake Microsoft sign-in appears.
Show sources
- Sneaky2FA PhaaS kit now uses redteamers' Browser-in-the-Browser attack — www.bleepingcomputer.com — 19.11.2025 23:59
- Sneaky2FA PhaaS kit now uses redteamers' Browser-in-the-Browser attack — www.bleepingcomputer.com — 19.11.2025 23:59