Palo Alto Networks Unit 42 has described a Browser‑in‑the‑Browser phishing campaign that targets Microsoft 365 users by serving fake sign‑in popups that closely mimic legitimate browser authentication windows.
Victims who click a Microsoft sign‑in button on the malicious page see what looks like a normal OAuth prompt: a spoofed Microsoft OAuth URL, a login form and an address bar constructed to pass casual inspection. Unit 42 writes, "The spoofed URL in the address bar is carefully constructed to look like a real OAuth flow," and the popup can be dragged around the screen with back, refresh, minimize and close buttons so it behaves like a native browser window.
The deception is deliberate. The phishing page detects the victim’s operating system and browser and reshapes the popup to match Windows, macOS or Linux and Chrome, Firefox, Edge or Safari. Credential harvesting runs inside a sandboxed iframe so the malicious form appears and functions inside the page while keeping the attack code separated from the parent site.
Engineers behind the campaign have added evasions that make automated spotting harder: the attack overrides browser console functions, breaks up visible text strings to defeat simple keyword scanners, and redirects suspected bots and automated scanners to a legitimate Microsoft Office help page instead of the phishing content.
Those techniques matter because they blur the normal cues users and automation rely on. A popup that looks and behaves like a real browser window — with a plausible address bar and working window controls — reduces the obvious visual signals that a login screen is fake, and the code-level tricks push detection into a manual, forensic exercise.
Unit 42 published a list of domains associated with the campaign so defenders can hunt for related traffic and block known infrastructure. The report does not include a count of victims or disclose which organizations, if any, were compromised, leaving the scale and impact of the operation unclear.
The timing underlines the risk: last month the FBI issued a Microsoft 365 phishing alert about Kali365, a phishing‑as‑a‑service platform that steals access tokens and can bypass multifactor controls through device code phishing. That advisory and this new Unit 42 research together show attackers are refining both the user experience and the backend tricks used to avoid detection.
From an operational perspective, the campaign has two practical takeaways. First, defenders should treat any in‑browser authentication prompt with suspicion when it originates from a third‑party page, and cross‑check the OAuth flow outside the embedded window. Second, automated scanners and endpoint controls that rely only on obvious strings or console checks can be evaded; layered detection that looks at iframe behavior, domain reputation and user interaction patterns is more likely to catch this kind of scam.
For Microsoft 365 users the visible guidance is straightforward but specific: do not enter credentials into a popup unless you initiated a known sign‑in flow and the URL is verified in the actual browser address bar (not a simulated one inside a page). If a sign‑in looks like a browser window but opened after clicking an unexpected link, close the tab and sign in from the real Microsoft portal to be safe.
Unit 42’s domain list gives defenders something concrete to act on today; what remains unresolved is the campaign’s reach and who has already been compromised. The most consequential unanswered question is simple and urgent: how many accounts have been harvested using these browser‑mimicking popups and which tenants, if any, need incident response now?
