Find notable cyber news and cases, enriched with sources, timelines, and signals.

Sneaky2FA ecosystem shift changes threat-actor operations

Threat Actor Meta
First reported
Last updated
Happening score
H score 37
1 unique sources, 1 articles

Summary

Hide ▲

Sneaky2FA has added browser-in-the-browser (BitB) lures to its phishing service, increasing its ability to steal Microsoft credentials and active sessions. The new fake Microsoft pop-up makes the existing attacker-in-the-middle (AitM) theft flow more convincing for Microsoft 365 users. The upgrade is paired with conditional loading and obfuscation, which can make the service harder to detect and block.

Related Happenings

O-UNC-066 / Pink Microsoft Entra passkey vishing campaign

Campaign
H score37 First: 08.07.2026 19:47 Last: 08.07.2026 19:47 Sources 1

About this happening: The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...

Bluekit adopts rrweb-based BitM session streaming for login theft

Technical Analysis
H score34 First: 25.06.2026 18:00 Last: 25.06.2026 18:00 Sources 1

About this happening: **Bluekit** has added **browser-in-the-middle (BitM)** login theft to its phishing stack, increasing the risk of **session-token theft** and **account takeover**. The mechanism us...

Enterprise browser phishing detection gaps leave one in five attacks undetected

Trend
H score29 First: 10.06.2026 18:30 Last: 10.06.2026 18:30 Sources 1

About this happening: Browser-based phishing is leaving **enterprise users** exposed, with **one in five** attacks going completely undetected across **millions of active browser sessions** from **Janu...

Securing the browser session layer to reduce enterprise browser-based phishing and session-layer abuse

Defensive Guidance
H score14 First: 10.06.2026 18:30 Last: 10.06.2026 18:30 Sources 1

About this happening: **Enterprise browser-session hardening** is being emphasized to reduce **browser-based phishing** and **session-layer abuse** across enterprise environments. The guidance targets...

ChatGPT and Claude phishing and malvertising campaign

Campaign
H score36 First: 01.06.2026 12:30 Last: 01.06.2026 12:30 Sources 1

About this happening: The **ChatGPT**- and **Claude**-themed **phishing and malvertising campaign** is actively steering users to fake download pages that can deliver malware. Attackers are using **Goo...

Timeline

  1. 19.11.2025 23:59 2 articles · 7mo ago

    Sneaky2FA adds BitB Microsoft login lures

    Initial Disclosure

    Sneaky2FA added browser-in-the-browser (BitB) pop-ups that mimic a legitimate Microsoft login window and are used with its existing attacker-in-the-middle (AitM) flow to steal Microsoft credentials and active session tokens from Microsoft 365 accounts. The phishing pages also use conditional loading and heavily obfuscated HTML/JavaScript to reduce detection, while victims are steered through previewdoc[.]com and a Cloudflare Turnstile check before the fake Microsoft sign-in appears.

    Show sources