The Sneaky2FA phishing kit has emerged as one of the most capable and frequently deployed phishing as a service platforms targeting Microsoft 365 accounts in 2025. Designed for criminals who want turnkey credential theft and MFA bypass capabilities, Sneaky2FA continues to evolve rapidly through new deception layers, session hijacking techniques, and browser evasion strategies. A recent report from Push Security reveals that the kit has now integrated Browser in the Browser functionality, a technique previously seen in high end red team toolkits but now adopted by mainstream criminal operators. The addition of this deception layer places Sneaky2FA among the most advanced and polished PhaaS platforms, enabling threat actors to steal both credentials and active authenticated sessions even when two factor authentication is enabled.
Sneaky2FA operates as a commercialized criminal service. Attackers rent access to the kit’s obfuscated source code, which includes modular reverse proxy phishing infrastructure, bot filtering controls, anti analysis protections, and automated session capture. The kit has been widely adopted alongside other major PhaaS platforms such as Tycoon2FA, Mamba2FA, and Flowerstorm. What sets Sneaky2FA apart is its focus on reliability, realism, and stealth. The platform successfully bypasses traditional protections through a combination of deceptive interface design, dynamic environment detection, and live request relaying that forwards a user’s legitimate authentication attempt through attacker controlled servers.
Sneaky2FA Integrates Browser in the Browser Techniques
One of the most significant developments from the new analysis is Sneaky2FA’s integration of Browser in the Browser capabilities. Browser in the Browser was introduced publicly in 2022 by the researcher mr.d0x and is designed to replicate the appearance of an in browser login pop up window. When combined with attacker in the middle interception, the BitB method helps disguise suspicious URLs and makes phishing pages appear significantly more trustworthy. A user presented with a familiar sign in with Microsoft window often assumes it is a legitimate authentication pop up. The window displays a realistic frame, a convincing URL bar, and a proper browser styled title that corresponds to the visitor’s operating system and browser.
Push Security observed Sneaky2FA actively displaying a fake Microsoft login pop up that automatically adjusts itself to match the victim’s device profile. On Windows systems the embedded window renders as a Microsoft Edge pop up while macOS victims receive a Safari styled window. This level of adaptation increases the likelihood that a user will trust the prompt and provide their credentials. Behind the deceptive interface, the phishing kit proxies all traffic to the legitimate Microsoft login endpoint and captures the resulting tokens, allowing attackers to authenticate to the victim’s Microsoft 365 account.
How Sneaky2FA Carries Out Its Attack
Sneaky2FA phishing pages start with an initial lure that often involves a document preview or secure file access notice. Victims visit compromised or newly registered domains that disguise themselves as business service platforms. One recent campaign used the domain previewdoc[.]us. Visitors must first pass a Cloudflare Turnstile bot challenge. Only human users are allowed to continue, while automated scanners and security bots are blocked at this stage.
After passing the challenge the victim is presented with a page styled to resemble Adobe Acrobat Reader or a document viewer. The page instructs the user to sign in with Microsoft to view the file. When clicked, the Browser in the Browser window appears with a highly convincing Microsoft login prompt. The iframe inside the pop up loads Sneaky2FA’s reverse proxy Microsoft phishing page, forwarding authentication in real time and capturing the user’s account password along with any session token issued after MFA verification.
The kit’s design means the attacker receives not only the user’s credentials but also a fully authenticated session token. This enables immediate account takeover without requiring additional MFA prompts. By combining the BitB deception layer with attacker in the middle functionality, Sneaky2FA avoids indicators of a typical phishing site and presents a smooth user experience that is nearly indistinguishable from legitimate Microsoft login flows.
Evasion Techniques Used by Sneaky2FA
Sneaky2FA includes a number of sophisticated evasion controls designed to bypass email filters, proxy scanners, browser security tools, and automated analysis systems. One of its major features is conditional loading. This mechanism inspects connection metadata including IP reputation, geolocation, user agent, and device characteristics. If the visitor matches a known security vendor or threat research address, the kit loads a benign WikiBooks page instead of the phishing site. This frustrates automated detection and reduces the likelihood of early takedown.
Another evasion technique is aggressive code obfuscation. Sneaky2FA scripts include distorted JavaScript, embedded images in base64 form, invisible character padding inside UI labels, and fragmented HTML that is designed to prevent signature based scanning tools from identifying malicious components. By breaking up UI strings and interface elements, the kit avoids pattern recognition commonly used by anti phishing engines.
Domain rotation and URL masking are also core elements. Each campaign uses long randomized URL paths, frequently reaching over 150 characters. These unique paths make blocklist based filtering ineffective. Additionally, domains may appear dormant or serve harmless content until the moment an attack is launched. After the phishing page is used, the domain is often abandoned quickly and replaced with a new one. This burn and replace approach limits the value of domain reputation scoring.
Why Browser in the Browser Matters
Browser in the Browser is significant because it blurs the line between legitimate user interface interactions and phishing deception. Standard web phishing relies on the user noticing an unusual URL or suspicious website layout. BitB attacks eliminate many of those signals. Users are accustomed to seeing pop up login windows during authentication flows. OAuth based services, Microsoft logins, Google authentication, and Facebook integration all use in browser pop up windows regularly. The BitB method replicates this experience with high accuracy. The fake window cannot be moved outside the parent browser frame, and it does not appear as a separate process in the taskbar. These are subtle signs, but most users do not check them. Criminal PhaaS developers know this and integrate BitB to increase authenticity.
Sneaky2FA adds another twist by pairing BitB deception with active reverse proxying. Traditional BitB only recreates the visual appearance of a login window. Sneaky2FA’s version uses the fake pop up to load a fully functional reverse proxy page that relays authentication attempts in real time. The combination produces the illusion of a real Microsoft login while simultaneously enabling live MFA token theft.
Bot Protection and Anti Analysis Controls
Threat actors behind Sneaky2FA understand that modern phishing campaigns must withstand scrutiny from automated scanners, enterprise security appliances, and threat intelligence crawlers. The kit incorporates several layers of anti analysis controls.
Bot protection through CAPTCHA and Cloudflare Turnstile prevents the phishing page from being retrieved by automated tools. Security scanners cannot complete these checks and therefore never load the actual phishing content.
Conditional loading filters out unwanted visitors. Based on IP classification or missing expected parameters, the kit redirects analysts to legitimate websites or educational content instead of the malicious page. This prevents easy replication of the attack chain and prolongs the lifespan of campaigns.
Developer tools detection is also built in. Sneaky2FA monitors for browser inspection features and attempts to disable or disrupt developer tool interfaces. This makes it harder for researchers to examine code or identify malicious behavior.
These techniques elevate Sneaky2FA above the majority of commodity phishing kits. The kit’s sophistication matches many private red team tools and illustrates how professionalized the PhaaS market has become.
Domain Strategy and Infrastructure
Sneaky2FA campaigns rely on domain rotation, URL masking, and short lived infrastructure hosted on compromised servers or inexpensive VPS platforms. Attackers frequently use old domains with clean reputation histories or hijack previously legitimate websites to minimize suspicion. The phishing kit expects operators to deploy the script on new domains quickly, run short campaigns, and rotate infrastructure before takedown operations occur.
The kit’s obfuscated source code is sold through a Telegram based licensing system. Criminal clients receive a unique build that hides sensitive internal identifiers, preventing attribution to a specific operator. The distribution through Telegram further complicates tracking and enforcement.
Are Attackers Moving Toward Browser in the Browser?
Evidence suggests that Sneaky2FA’s adoption of Browser in the Browser is part of a larger trend. Other PhaaS kits such as Raccoon0365 and Storm 2246 have promoted BitB capabilities in recent updates. Criminal operators have recognized that enterprise users are becoming more suspicious of traditional phishing pages and are more familiar with OAuth style pop up windows. As a result, BitB offers a stable way to make phishing pages appear trustworthy while still enabling full attacker in the middle functionality.
With the widespread popularity of Microsoft 365 across enterprise environments, attackers continue to innovate in methods that bypass MFA and defeat identity verification. Sneaky2FA’s combination of deception, evasion, and session hijacking represents the current state of the art for criminal phishing operations.
How Organizations Can Protect Themselves
Defending against Sneaky2FA requires strengthening identity verification, reducing reliance on pop up based authentication prompts, and monitoring for attacker in the middle patterns. Organizations should:
- Adopt phishing resistant authentication such as FIDO2 security keys
- Disable pop up based OAuth login flows where possible
- Educate users on identifying Browser in the Browser attacks
- Monitor for impossible travel and token reuse anomalies
- Restrict legacy authentication methods
- Use email filtering that analyzes embedded iframes and dynamic scripts
- Deploy browser isolation that prevents unauthorized JavaScript execution
If compromise is suspected, users should immediately scan their device with reputable anti malware tools. We recommend scanning with Malwarebytes to identify and remove malicious components delivered through phishing pages.
The rise of Sneaky2FA demonstrates how phishing as a service platforms continue to mature. With techniques that blend social engineering, reverse proxy credential theft, and realistic interface deception, attackers are well positioned to target Microsoft 365 environments at scale. Continued innovation in authentication security, monitoring controls, and user awareness is essential to keeping pace with these threats.
For more coverage of phishing toolkits, threat actor activity, and evolving identity based attacks, explore the Botcrawl Data Breaches section and our Cybersecurity archive.
