How can organizations defend against advanced phishing platforms like Sneaky2FA?

Organizations should implement phishing-resistant MFA, enhance employee security awareness training focusing on new tactics, and deploy real-time threat detection solutions capable of identifying anomalous authentication activity.

Were any industry compliance gaps exposed by this phishing advancement?

Yes, the use of BitB attacks highlights gaps in many organizations’ user training and technical controls, spotlighting the need for compliance with NIST, PCI, HIPAA, and ZTMM guidelines for threat detection, segmentation, and authentication security.

Phishing-as-a-Service Evolves: Sneaky2FA Adds Browser-in-the-Browser Attacks in 2024

Q: What is the Browser-in-the-Browser technique, and how does Sneaky2FA use it?

Browser-in-the-Browser (BitB) simulates legitimate authentication windows within a browser, tricking users into submitting credentials. Sneaky2FA added BitB to make their phishing sites far more convincing, bypassing user vigilance and even some MFA protections.

Sneaky2FA has upped the ante for cybercriminals, integrating Browser-in-the-Browser attacks that defeat even MFA. Here’s how phishing is becoming harder to spot—and how you can stay ahead.

Published: January 10, 2026

Share this on:

Executive Summary

In early June 2024, cybersecurity researchers reported that the Sneaky2FA phishing-as-a-service (PhaaS) kit has adopted the Browser-in-the-Browser (BitB) attack tactic, previously used by red teamers, to improve the effectiveness of credential phishing campaigns. This new feature enables threat actors using the Sneaky2FA service to launch highly convincing fake login pop-ups, closely mimicking legitimate authentication flows, including prompts for multifactor authentication (MFA). The update broadens the risks for both organizations and individuals, as traditional indicators of phishing are increasingly hard to spot. The deployment of BitB tactics by a turnkey phishing kit marks a concerning development in the automation and commercial accessibility of advanced cybercrime techniques.

This incident underscores the escalating sophistication of phishing attacks driven by the commoditization of offensive security techniques. Organizations face renewed urgency to revisit their authentication controls, user awareness training, and phishing-resistant MFA, as adversary innovation quickly outpaces conventional defense measures.

Why This Matters Now

Phishing kits implementing Browser-in-the-Browser techniques greatly increase the likelihood of users falling victim to credential theft, particularly bypassing MFA protections. As these advanced methods spread through Phishing-as-a-Service platforms, organizations of all sizes are at heightened risk, making immediate improvements in anti-phishing education and technical defenses critical.

Attack Path Analysis

The attack begins with users lured to a fraudulent Browser-in-the-Browser (BitB) phishing site operated via the Sneaky2FA PhaaS kit, leading to credential and 2FA token capture. Adversaries leverage these stolen credentials to gain unauthorized access and attempt privilege escalation, potentially targeting sensitive cloud assets. With escalated access, attackers may traverse internal cloud environments searching for additional resources or data. Malicious traffic establishes outbound connections to command and control infrastructure for attacker persistence and coordination. Exfiltration follows, with data or credentials sent out through covert or authorized channels. Ultimately, the impact may include unauthorized data access, account takeover, or further attacks enabled by the compromised foothold.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Medium

Lateral Movement

Mediuminferred

Command & Control

Mediuminferred

Exfiltration

Mediuminferred

Impact

Lowinferred

Initial Compromise

Description

Users are deceived into entering credentials and 2FA tokens into a BitB phishing page, resulting in account credential compromise.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2021-21176
CVSS 6.5
An inappropriate implementation in full screen mode in Google Chrome prior to version 89.0.4389.72 allows a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
Affected Products:
Google Chrome – < 89.0.4389.72
Exploit Status:
proof of concept
References:
https://www.wiz.io/vulnerability-database/cve/cve-2021-21176
CVE-2021-37994
CVSS 6.5
An issue in Google Chrome prior to version 95.0.4638.54 allows a remote attacker to bypass navigation restrictions through a crafted HTML page.
Affected Products:
Google Chrome – < 95.0.4638.54
Exploit Status:
proof of concept
References:
https://www.wiz.io/vulnerability-database/cve/cve-2021-37994

MITRE ATT&CK® Techniques

Initial Access

T1566.002

Phishing: Spearphishing via Link

Execution

T1216

Browser Extensions

Collection

T1114

Email Collection

Credential Access

T1185

Browser Session Hijacking

Credential Access

T1539

Steal Web Session Cookie

Credential Access

T1556.004

Modify Authentication Process: Multi-Factor Authentication Interception

Execution

T1204.001

User Execution: Malicious Link

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Multi-factor Authentication Implementation

Control ID: 8.3.1

MFA was successfully bypassed due to phishing and credential interception, violating requirements for strong MFA controls to protect user authentication.

NYDFS 23 NYCRR 500 – Multi-Factor Authentication

Control ID: 500.12

Attackers circumvented MFA using sophisticated phishing, highlighting failure to ensure effective implementation and monitoring of MFA mechanisms.

DORA – ICT Risk Management

Control ID: Art. 9

Inadequate detection and response to phishing and credential attacks demonstrate gaps in information and communication technology risk management.

CISA ZTMM 2.0 – Identity and Access Management – Authentication Protection

Control ID: ID.AM-1

Successful phish and MFA bypass show insufficient controls for identity verification and protection of authentication events as recommended in Zero Trust.

NIS2 Directive – Security in Network and Information Systems

Control ID: Article 21(2)(d)

Exploitation affecting authentication processes reflects a failure to ensure adequate technical and organizational measures for the security of network and information systems.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Banking/Mortgage

Browser-in-the-Browser phishing attacks targeting financial credentials threaten zero trust segmentation and encrypted traffic compliance, enabling account takeovers and fraud.

Financial Services

Sneaky2FA PhaaS kit poses severe credential theft risks requiring enhanced egress security, threat detection capabilities, and multi-factor authentication bypass protection.

Information Technology/IT

IT infrastructure faces lateral movement risks from sophisticated phishing attacks, demanding robust east-west traffic security and multicloud visibility controls.

Health Care / Life Sciences

Deceptive phishing threatens patient data through compromised credentials, violating HIPAA compliance and requiring enhanced anomaly detection and secure hybrid connectivity.

Sources

Sneaky2FA PhaaS kit now uses redteamers' Browser-in-the-Browser attackhttps://www.bleepingcomputer.com/news/security/sneaky2fa-phaas-kit-now-uses-redteamers-browser-in-the-browser-attack/
Verified

CVE-2021-21176: Google Chrome vulnerability analysis and mitigationhttps://www.wiz.io/vulnerability-database/cve/cve-2021-21176

Verified

CVE-2021-37994: vulnerability analysis and mitigationhttps://www.wiz.io/vulnerability-database/cve/cve-2021-37994

Verified

Frequently Asked Questions

Browser-in-the-Browser (BitB) simulates legitimate authentication windows within a browser, tricking users into submitting credentials. Sneaky2FA added BitB to make their phishing sites far more convincing, bypassing user vigilance and even some MFA protections.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Enforcing zero trust segmentation, egress policy enforcement, real-time threat detection, and centralized visibility would have limited unauthorized access, contained attacker movement, and blocked exfiltration attempts, thus disrupting the kill chain at several points.

Initial Compromise

Control: Multicloud Visibility & Control

Mitigation: Faster detection of anomalous user authentication patterns.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: Limits access to only permitted resources even when credentials are compromised.

Lateral Movement

Control: East-West Traffic Security

Mitigation: Blocks lateral traversal between workloads, reducing attack surface.

Command & Control

Control: Egress Security & Policy Enforcement

Mitigation: Denies unauthorized outbound connections and detects C2 traffic.

Exfiltration

Control: Encrypted Traffic (HPE)

Mitigation: Detects and blocks unencrypted or suspicious exfiltration attempts.

Impact (Mitigations)

Rapidly detects and enables mitigation of malicious activity before larger impact occurs.

Impact at a Glance

Affected Business Functions

User Authentication
Access Control

Operational Disruption

Estimated downtime: 3 days

Financial Impact

Estimated loss: $500,000

Data Exposure

Potential exposure of user credentials and session tokens, leading to unauthorized access to sensitive information.

Recommended Actions

• Deploy zero trust segmentation to restrict account movement and enforce least-privilege access.
• Enable centralized visibility and anomaly detection to flag suspicious logins or lateral actions in real time.
• Enforce stringent egress filtering to limit unauthorized outbound connections and block data exfiltration channels.
• Utilize inline threat detection and real-time policy enforcement to quickly identify and respond to evolving attacker behaviors.
• Regularly review and test identity/access controls and multi-factor authentication workflows against phishing and token replay attacks.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Phishing-as-a-Service Evolves: Sneaky2FA Adds Browser-in-the-Browser Attacks in 2024

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2021-21176

Affected Products:

Exploit Status:

References:

CVE-2021-37994

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Phishing: Spearphishing via Link

Browser Extensions

Email Collection

Browser Session Hijacking

Steal Web Session Cookie

Modify Authentication Process: Multi-Factor Authentication Interception

User Execution: Malicious Link

Potential Compliance Exposure

PCI DSS 4.0 – Multi-factor Authentication Implementation

NYDFS 23 NYCRR 500 – Multi-Factor Authentication

DORA – ICT Risk Management

CISA ZTMM 2.0 – Identity and Access Management – Authentication Protection

NIS2 Directive – Security in Network and Information Systems

Sector Implications

Banking/Mortgage

Financial Services

Information Technology/IT

Health Care / Life Sciences

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads