Sneaky 2FA Attack Reveals Fake Windows Stealing Passwords From Users

A deceptive phishing threat coined 'Sneaky 2FA' steals login credentials and bypasses two-factor authentication (2FA) using fake browser pop-ups. Cybersecurity experts identified 2FA in late 2025, highlighting how cyberattacks are growing more and more sophisticated, employing mimicking techniques to fool would-be victims.

​According to Malwarebytes, the 'Sneaky 2FA' is a 'Browser-in-the-Browser' (BitB) phishing attack that lets cybercriminals embed fake pop-up login windows within a web browser. These login windows look exactly like the real sign-in dialogues, easily fooling users.

As soon as the fake pop-up window appears, the user is expecting to be asked for their login credentials—including the 2FA code, which traditionally expires almost immediately as soon as it is generated. Sneaky 2FA captures all this and uses the information to access user accounts.

Sneaky 2FA Attack

​A Cyber Press analysis shows that after their interaction with the fake login pop-up window, attackers use the 'session tokens' stolen along with login details in a future session, bypassing 2FA altogether.​

Push Security reported detecting a Sneaky 2FA server, and explained how the phishing attack stole account credentials from unsuspecting victims. Once the authentication process is complete, the victim's logins immediately fall into the hands of the criminal.

In the real world, cybercriminals use Sneaky 2FA to deceive users while avoiding detection in the process by creating a fake browser window via HTML and CSS, rendering the website to appear completely normal, from the browser's address bar to a pop-up login form, completely oblivious to the deliberate intent to steal usernames, passwords, and even 2FA tokens. Criminals have designed Sneaky 2FA to be a more sophisticated attack, barring security tools' access to the phishing pages.

In an Instagram post shared by hacker-turned-cybersecurity-expert @trumancyber, news of fake login windows from Google that look authentic are designed to capture passwords and two-factor authentication, detailing the BitB technique that hackers use.

Browser-in-the-Browser Phishing

The term BitB originated in 2022 and was designed to disguise phishing URLs in a precise, normal-looking environment, such as an in-browser pop-up window.

Sneaky 2FA successfully evades detection simply by giving the would-be victim the illusion of a secure authentication page—complete with two-factor authentication—despite actually handing over their credentials to attackers in the process. This evolution in the malicious tools cybercriminals deploy highlights the increasing risks posed by sophisticated phishing attacks that exploit oblivious users instead of vulnerabilities.

In December 2025, The Hacker News shared that highly sophisticated phishing kits are now using artificial intelligence and MFA subverting techniques to steal sensitive information. Similar threat patterns have been observed from Adversary‑in‑the‑Middle (AiTM) phishing threats, designed to capture credentials, including MFA tokens.​

What Can We Do?

According to Malwarebytes, the best line of defence against these phishing schemes is to take advantage of Multi-Factor Authentication (MFA) along with a trusted password manager. It also helps to avoid clicking on unsolicited links from suspicious messages unless trust is ultimately established on the link's origin, and to stay informed and alert, keeping in mind that it's not always what it seems when it comes to cyberattacks.

​COE Security also recommends using 'phishing-resistant authentication' such as hardware tokens like FIDO2 or passkeys, beyond the usual SMS and app-based 2FA verification, and to stay alert against unusual sign-in patterns and other incidents that may demonstrate sessions less likely to be secure. COE Security also suggests applying conditional access policies, real-time pattern detection, and device trust checks to enhance layered defences against phishing.

​