Browser-in-the-Browser Attacks: Fake Login Windows That Fool Everyone

We train employees to check the URL bar before entering their credentials. We tell them to look for the padlock icon, verify the domain name, and be suspicious of unfamiliar websites. For years, this advice has been a cornerstone of phishing awareness training. But what if the URL bar itself is fake? What if the entire login window — padlock, domain name, and all — is nothing more than an image drawn by the attacker's web page?

flowchart LR
    A["Victim Visits Site"] --> B["Fake Login Window"]
    B --> C["Looks Like Real Browser"]
    C --> D["User Enters Credentials"]
    D --> E["Attacker Captures Data"]
    E --> F["Account Compromise"]
  

This is the reality of Browser-in-the-Browser (BitB) attacks, a phishing technique that creates fake popup windows indistinguishable from genuine browser authentication dialogs. First widely documented by security researcher mr.d0x in 2022, BitB attacks have since been adopted by sophisticated threat actors and continue to evolve in ways that make them increasingly difficult to detect.

How Browser-in-the-Browser Attacks Work

To understand BitB attacks, you first need to understand how legitimate single sign-on (SSO) and OAuth authentication work. When you click "Sign in with Google" or "Log in with Microsoft" on a website, a popup window appears from the identity provider (Google, Microsoft, Apple, etc.). This popup has its own URL bar showing the legitimate domain — accounts.google.com, for instance — and you enter your credentials in that window.

Users have been trained to trust this flow. The popup window has a legitimate URL. The padlock is present. The domain is correct. It must be safe.

The Illusion

A BitB attack exploits this trust by creating a fake popup window that exists entirely within the attacker's web page. It is not a real browser window at all — it is an HTML and CSS element designed to look exactly like one. The "URL bar" showing accounts.google.com is just an image or a styled text element. The "padlock icon" is a static graphic. The "window" itself is a div element positioned on the page.

The attacker's web page renders this fake window using standard web technologies:

• HTML/CSS creates the window frame — the title bar, window controls (minimise, maximise, close buttons), and the URL bar. These elements are crafted to match the exact appearance of the target operating system's browser windows.
• JavaScript provides interactivity — the fake window can be "dragged" around the screen, "closed" by clicking the X button, and can display loading animations that mimic real browser behaviour.
• An iframe within the fake window loads the phishing page — the actual credential harvesting form. This form is hosted on the attacker's server but appears to be inside a legitimate browser popup.

The result is a visual experience that is virtually identical to a genuine OAuth login flow. The victim sees a familiar popup, reads a familiar URL, and enters their credentials — which are sent directly to the attacker.

The brilliance — and the danger — of Browser-in-the-Browser attacks is that they exploit the very security indicator users have been taught to rely on: the URL bar. When the URL bar itself is fake, the foundational advice of "check the URL before you log in" becomes worthless.

Why BitB Attacks Are So Effective

They Exploit Trained Behaviour

Users who have undergone security awareness training may actually be more susceptible to BitB attacks in some respects, because they have been taught to trust the URL bar as the definitive indicator of a site's legitimacy. When they see "accounts.google.com" in what appears to be a browser address bar, their training tells them the site is genuine.

They Bypass Traditional Phishing Indicators

Traditional phishing pages display the attacker's domain in the real URL bar — a dead giveaway that something is wrong. BitB attacks hide the attacker's domain because the fake popup obscures it. The real URL bar of the attacker's page is still visible, but users are focused on the popup window and its seemingly legitimate URL.

They Are Technically Simple to Execute

Despite their sophisticated appearance, BitB attacks require only basic web development skills. Open-source BitB templates are readily available, providing pre-built window frames for different browsers and operating systems. An attacker needs only to pair one of these templates with a credential harvesting form to have a functional BitB phishing page. This low barrier to entry means the technique is accessible to a wide range of threat actors — not just sophisticated groups.

They Target High-Value Credentials

Because BitB attacks specifically mimic SSO and OAuth login flows, they target the credentials that provide the broadest access. A stolen Google Workspace or Microsoft 365 credential typically grants access to email, cloud storage, collaboration tools, and any other service the user accesses via SSO. This makes BitB attacks particularly relevant to credential theft and subsequent account takeover campaigns.

Real-World BitB Attack Campaigns

BitB attacks have been observed in the wild in several notable campaigns.

Gaming Platform Credential Theft

One of the earliest widespread uses of BitB techniques targeted gamers on platforms such as Steam. Attackers created fake gaming tournament websites and community pages that prompted visitors to "Sign in with Steam." The BitB popup displayed a perfect replica of Steam's login page, complete with the correct URL. Thousands of gaming accounts were compromised and their inventories — sometimes worth thousands of pounds — were stolen.

Corporate SSO Targeting

More concerning for businesses, security researchers have documented BitB attacks targeting corporate SSO portals. These campaigns send spear phishing emails directing employees to fake internal portals that trigger BitB popups mimicking the organisation's identity provider. Because many organisations use third-party identity providers like Okta, Azure AD, or Google Workspace, the fake popup can display a genuinely familiar login page.

Advanced Persistent Threat Usage

Nation-state threat groups have incorporated BitB techniques into their operations. Researchers have attributed BitB phishing campaigns targeting government officials, journalists, and human rights organisations to groups with links to state intelligence services. The technique's ability to evade even security-conscious users makes it a valuable tool for these sophisticated adversaries.

How to Detect a BitB Attack

Whilst BitB attacks are visually convincing, they have inherent technical limitations that reveal their nature if you know what to look for.

The Drag Test

The most reliable manual test is to try dragging the popup window outside the bounds of the browser window. A genuine browser popup is an independent window that can be moved anywhere on screen — including completely outside the parent browser window. A BitB fake popup is trapped within the attacker's web page and cannot be dragged beyond its borders. If the "popup" stops at the edge of the browser window, it is fake.

The Resize Test

Genuine browser popups can be resized by dragging their edges. BitB fake popups typically cannot be resized, or their resize behaviour is inconsistent with a real browser window.

The Taskbar Test

A genuine popup window appears as a separate entry in your operating system's taskbar or dock. A BitB fake popup does not, because it is not a real window — it is just a visual element within the existing page. If you do not see a new entry in your taskbar when a login popup appears, be suspicious.

The Address Bar Interaction Test

Try clicking on the URL in the popup's address bar and typing. In a genuine browser window, you can interact with the address bar — select the text, type a new URL, or navigate to a different page. In a BitB fake, the address bar is either non-interactive or behaves in an unnatural way.

Password Manager Behaviour

Password managers are an underappreciated defence against BitB attacks. A password manager auto-fills credentials based on the actual URL of the page, not the visual appearance. Since the BitB popup's content is served from the attacker's domain — not the legitimate identity provider's domain — the password manager will not offer to auto-fill credentials. If your password manager does not recognise a login page that it normally fills automatically, treat that as a strong warning signal.

If your password manager refuses to auto-fill a login page you have used before, stop and investigate. Password managers see through visual deception because they verify the actual domain, not the displayed URL.

Defending Your Organisation

Technical Defences

1. Deploy phishing-resistant MFA: FIDO2 security keys and passkeys are the strongest defence against BitB attacks. These authentication methods are cryptographically bound to the legitimate domain. Even if a user enters their password into a BitB popup, the hardware key or passkey will not authenticate against the attacker's domain because the cryptographic challenge-response is domain-specific.
2. Mandate password managers: Require the use of password managers across your organisation. As described above, password managers provide an additional verification layer by refusing to auto-fill on domains that do not match their stored records.
3. Implement content security policies: For organisations that operate web applications, Content Security Policy (CSP) headers can restrict the use of iframes and popups, making it harder for attackers to embed BitB elements in compromised or malicious pages.
4. Deploy advanced phishing link analysis: Use security tools that analyse the destination of links in emails and messages, checking for known BitB indicators and recently registered domains.
5. Enable browser-based protections: Modern browsers include protections against some forms of UI spoofing. Ensure that your organisation's browsers are kept up to date and that security features are not disabled by custom configurations.

Employee Training

Update your security awareness training programme to specifically address BitB attacks. Key training points include:

• Teach the drag test: Train employees to drag login popups outside their browser window before entering credentials. This simple habit defeats every BitB attack.
• Reinforce password manager reliance: Teach employees to pay attention when their password manager does not auto-fill a familiar login page. This is a signal that something may be wrong.
• Update the "check the URL" advice: Employees need to understand that a URL displayed in a popup window is not trustworthy in the same way as the main browser address bar. The advice should evolve from "check the URL" to "verify the window is real, then check the URL."
• Use realistic simulations: Incorporate BitB-style scenarios into your phishing simulation programme so employees experience this technique in a safe environment before encountering it in the wild.
• Encourage direct navigation: Train employees that when they need to log into a service, they should navigate directly to the service's website by typing the URL or using a bookmark — rather than clicking through from another site or email.

Organisational Policies

• Establish a policy that employees should never enter corporate credentials into popup windows triggered by external websites or links in emails.
• Implement safe browsing policies that encourage direct navigation to authentication portals.
• Ensure your organisation's incident response plan covers credential compromise scenarios and includes procedures for rapid password resets and session invalidation.

The Evolving Threat

BitB attacks continue to evolve. Newer variants address some of the detection methods described above — for example, some implementations now allow limited dragging of the fake window, and others use more sophisticated JavaScript to better simulate real window behaviour. AI-generated content is also being used to create more convincing landing pages that lead to BitB popups.

This ongoing evolution underscores why a defence strategy cannot rely on any single detection method. The combination of phishing-resistant MFA, password managers, employee training, and advanced endpoint security creates a multi-layered defence that remains effective even as the specific attack techniques change.

Browser-in-the-Browser attacks are a reminder that in cybersecurity, trust must be earned and continuously verified — even for the indicators we have long taken for granted. The URL bar was once the gold standard for verifying a website's identity. BitB attacks have shown that anything displayed on screen can be faked. Your defence strategy must account for this reality.