Overview
- Push Security and others report active campaigns where Sneaky 2FA renders a fake Microsoft sign-in window that shows a legitimate-looking URL and adjusts to the victim’s OS and browser.
- Observed attack chains route targets through a Cloudflare Turnstile check on an attacker domain such as previewdoc[.]us before presenting a “Sign in with Microsoft” prompt.
- The BitB pop-up fronts a reverse-proxy phishing page, enabling theft of both credentials and active session tokens even when 2FA is enabled.
- Operators use conditional loading, heavy obfuscation, disabled developer tools, and rapid domain rotation to evade detection and frustrate analysis.
- Defenders are advised to use password managers that refuse to autofill on HTML fakes, apply layered MFA and conditional access, and note research showing passkeys can be undermined by malicious extensions or downgrade AitM flows.