Browser-in-the-Browser Phishing: How It Works and How to Detect It
When users encounter a 'Sign in with Google' or 'Continue with Microsoft' popup on a website, they expect to see a separate browser window with a verifiable URL. Browser-in-the-browser (BitB) attacks exploit this expectation by rendering a convincing fake browser window as HTML and CSS elements inside the existing page. The fake window displays a legitimate-looking URL bar, a title bar, and an authentication form. Users type their credentials into what they believe is a legitimate SSO popup, handing them directly to the attacker.
How BitB Attacks Work Technically
The BitB technique was publicly documented by security researcher mr.d0x in 2022 and has since been incorporated into phishing toolkits. Implementation: an attacker creates a phishing page that mimics a legitimate website offering 'Sign in with Google/Microsoft/Apple.' When the user clicks the sign-in button, instead of opening a new browser window (which would have its own URL bar showing the real URL), the page renders a div element styled to look exactly like a browser popup window with a custom URL bar. The fake URL bar displays a convincing URL (accounts.google.com) as static text, not as an actual browser URL. The 'window' contains an iframe or a form that collects credentials. The attacker can drag and resize the fake window (using JavaScript) to make it behave like a real popup.
Why Users Cannot Detect It
Traditional phishing detection advice focuses on checking the URL bar. BitB defeats this heuristic: the fake URL bar in the rendered window looks identical to a real browser chrome element. Users who check 'the URL bar' see what appears to be accounts.google.com. Standard indicators that a user has been trained to check (padlock icon, HTTPS, recognizable domain) are all present as static visual elements in the fake window. The actual page URL, visible in the real browser URL bar, would reveal the phishing domain, but users focused on the popup do not look at the underlying page URL. Usability research consistently shows that even security-trained users miss this.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Detection: How to Identify BitB Pages
Technical detections for BitB attacks operate at the browser and network layer:
Real browser popups can be dragged outside the browser window
Legitimate OAuth popups are real browser windows that can be dragged to the edge of the screen and beyond the browser boundary. A BitB fake popup cannot leave the boundaries of the underlying page because it is a div element. Train users to drag SSO popups to the screen edge. If the window cannot exit the browser, it is fake. This is the most reliable user-facing indicator.
URL bar is not interactive
In a real browser window, the URL bar is interactive: users can click it, type in it, and modify the URL. In a BitB fake window, the URL bar is a static image or text element. Clicking and typing in the 'URL bar' either does nothing or behaves unexpectedly.
Browser extension detection
Password manager browser extensions (Bitwarden, 1Password, Dashlane) display autofill suggestions based on the page's actual origin. A BitB fake Google login page has the phishing domain as its actual origin, so a password manager will not offer to fill saved Google credentials. If your password manager does not offer to autofill credentials on an SSO popup, the popup may be fake.
Enterprise SWG inspection
Secure Web Gateway platforms with TLS inspection can analyze page content and detect HTML/CSS patterns characteristic of BitB implementations (div elements styled as browser chrome, fake URL bars, window-mimicking CSS).
Phishing-Resistant MFA as the Ultimate Defense
The most complete defense against BitB credential theft is phishing-resistant authentication. FIDO2/WebAuthn (passkeys, hardware security keys) binds authentication to the specific origin of the page requesting credentials. When a user attempts to authenticate with a FIDO2 credential on a BitB phishing page, the authentication fails because the page's actual origin (phishing.example.com) does not match the origin the credential was registered for (accounts.google.com). The user never sees an error; the authentication simply does not complete. BitB attacks that steal a FIDO2-authenticated account's credentials are defeated by the protocol design: there are no credentials to steal in the traditional sense.
Security Awareness Training for BitB
Standard phishing awareness training that focuses on URL inspection is insufficient for BitB. Effective BitB-specific training covers: the drag test (drag any SSO popup to the screen edge; if it cannot exit the browser, it is fake), the password manager indicator (if your password manager does not offer to autofill on an SSO popup, verify the popup's origin), and the keyboard shortcut test (in a real browser window, keyboard shortcuts work differently than in a page element). Include BitB simulations in your phishing simulation program: if your simulation tool does not support BitB templates, consider tooling that does. Measuring click and credential submission rates for BitB simulations separately from standard phishing simulations reveals whether your training is closing this specific gap.
Deployment in Attacker Toolkits
BitB is now a standard module in multiple phishing frameworks. Evilginx (AiTM framework) added BitB support. Modlishka and several commercial phishing platforms have incorporated BitB templates. The primary targets are Microsoft 365, Google Workspace, and Steam SSO flows, because these are the most commonly used SSO providers with recognizable popup UI. Attackers typically deploy BitB in combination with domain spoofing (registering domains similar to the target organization) and send phishing links via email, SMS, or messaging platform to direct victims to the landing page.
The bottom line
BitB defeats the URL-checking advice that years of security awareness training have ingrained in users. The drag test is the most actionable user-facing detection. Phishing-resistant MFA (FIDO2/passkeys) defeats the attack at the protocol layer regardless of whether users detect the fake window. Both defenses should be deployed together.
Frequently asked questions
Can antivirus or endpoint security detect BitB phishing pages?
Most antivirus and EDR products do not detect BitB pages because the page itself contains no malicious code: it is HTML, CSS, and JavaScript that renders a convincing UI. Detection depends on threat intelligence: if the phishing domain is known-malicious and in blocklists, browsers and endpoint security tools may block the page. Novel BitB pages using fresh domains evade blocklist-based detection until the domain is reported and blocklisted. Browser-level phishing detection (Google Safe Browsing, Microsoft SmartScreen) may detect known BitB infrastructure but not zero-day campaigns.
Is BitB the same as an iframe phishing attack?
BitB and iframe phishing are related but distinct. Classic iframe phishing embeds a legitimate page inside a phishing page using an iframe to make the page look legitimate (most modern sites block iframe embedding via X-Frame-Options or CSP). BitB does not require iframe embedding of the legitimate site: it renders a fake browser window using only HTML/CSS/JavaScript to visually impersonate the popup UI. BitB is more effective than iframe phishing because it does not depend on the target site allowing iframe embedding.
How do I include BitB in my phishing simulation program?
Several phishing simulation platforms have added BitB templates: check your platform's template library for 'browser-in-the-browser' or 'SSO popup' templates. GoPhish (open-source) can be combined with mr.d0x's public BitB templates for custom simulations. When running BitB simulations, measure both click rate and credential submission rate separately, and compare against your standard phishing simulation baseline. High credential submission rates in BitB simulations indicate your training is not covering this technique and that FIDO2 deployment should be prioritized.
Does BitB work on mobile devices?
BitB is less effective on mobile browsers because mobile browsers handle OAuth popup flows differently: many use in-app browsers or system browsers that display the URL separately from the app, making the fake window easier to identify. However, mobile-optimized BitB implementations exist and can be convincing in specific contexts. On mobile, the primary defense remains phishing-resistant authentication: FIDO2/WebAuthn on mobile (using biometrics as the authenticator) is supported on all major mobile platforms.
What is the relationship between BitB and AiTM phishing?
BitB and AiTM (adversary-in-the-middle) are two different phishing techniques that both target SSO credentials. BitB renders a fake popup to steal credentials directly from the victim. AiTM uses a real reverse proxy that relays the actual authentication flow in real time, capturing both credentials and the resulting session cookie. AiTM is more complex to set up but bypasses MFA methods that BitB cannot bypass (because AiTM relays the actual MFA challenge). Both are defeated by phishing-resistant FIDO2 authentication. Attackers choose between them based on their target's MFA method and the effort required.
Are enterprise applications that use SSO more or less vulnerable to BitB?
Enterprise SSO applications are common BitB targets specifically because they are high-value: compromising an employee's SSO account gives the attacker access to all applications the employee can access via that SSO. However, enterprise environments have compensating controls that consumer contexts lack: Conditional Access policies that evaluate device compliance (a BitB-compromised credential used from an attacker's device may be blocked), UEBA that detects impossible travel or new device anomalies, and the ability to enforce phishing-resistant MFA centrally for all users.
Sources & references
- mrd0x Browser-in-the-Browser Technique Research
- Microsoft Digital Defense Report 2025
- Google Project Zero Browser Security Research
- CISA Phishing Guidance for Organizations 2025
- Mandiant Phishing Technique Analysis 2025
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.
The Mythos Brief is free.
AI that finds 27-year-old zero-days. What it means for your security program.