Browser-in-the-Browser → credential theft on a trusted page

§ Context

Assumed environment: target uses SSO that opens a popup window. Phishing landing page hosted on attacker domain (often a typosquat or compromised legitimate site).

§ Steps

1. 01
   Victim enters creds in fake popupInitial Access

   T1078— Valid Accounts
2. 02
   Lure victim to attacker pageInitial Access

   T1566— Phishing
3. 03
   Victim clicks SSO buttonExecution

   T1204— User Execution
4. 04
   Hijack post-MFA session if applicableCredential Access

   T1539— Steal Web Session Cookie
5. 05
   Use creds against the real IdPInitial Access

   PH-AITM-EVILGINX— AITM Phishing — Evilginx / Modlishka
6. 06
   Build BitB popup overlayInitial Access

   PH-BITB— Browser-in-the-Browser (BitB)

§ References

• T1078Valid Accounts
• T1566Phishing
• T1204User Execution
• T1539Steal Web Session Cookie

§ Frequently asked

What is the "Browser-in-the-Browser → credential theft on a trusted page" attack path?

Render a fake SSO popup inside the attacker page that looks like a real OS browser window. Victim types their credentials into the attacker's DOM. It chains 6 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Victim enters creds in fake popup (T1078) — a initial access primitive. Assumed environment: target uses SSO that opens a popup window.

What is the final impact of this kill-chain?

The final step lands on Build BitB popup overlay (PH-BITB), which falls under Initial Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques4

  FIDO2 caBLE hybrid → phone authenticator hijack

  Attacker phishing site shows the legitimate FIDO2 QR. Victim scans with their phone authenticator. The link completes the WebAuthn ceremony in the attacker's browser — they're now signed in as the victim.

• Shared techniques4

  AITM phishing (Evilginx) → M365 session theft → mailbox exfil

  Reverse-proxy phishing kit intercepts the entire login flow including MFA. Stolen session cookie → access M365 mailbox / SharePoint without retriggering auth.

• Shared techniques3

  Compromised vendor mailbox → reply-chain phishing → client compromise

  Take over a vendor / partner mailbox via AITM phishing. Reply to an existing thread with a malicious link — trust transferred from the genuine prior conversation defeats most user training.

• Shared techniques3

  Header smuggling → gateway sees vendor, mailbox sees attacker

  Crafted RFC-edge headers cause SPF/DMARC to validate against one From while Outlook renders the other — slips past Microsoft Defender / Proofpoint and lands as a 'verified' message.

• Shared techniques3

  Malicious browser extension → cookie harvest → ATO

  Publish a useful-looking extension (ad-blocker / PDF reader). It quietly reads cookies + localStorage from sensitive sites and ships them to the attacker.

• Shared techniques3

  Compromised CFO mailbox → invoice fraud → wire fraud

  AITM phishing nets the CFO's M365 session. Attacker sets a mail rule to hide replies, edits a pending invoice's wire details, sends the modified PDF to AP from the legit mailbox.