Browser-in-the-Browser (BitB) Phishing: Why Users Still Fall for It

Browser-in-the-Browser (BitB) is a phishing technique disclosed in early 2022 — render a fake browser popup window inside the actual browser tab. The fake popup looks like a legitimate OAuth/SSO sign-in window (Google, Microsoft, Apple). Victims see the URL bar of the fake window and trust it; the actual URL is the attacker’s. This article covers BitB, why it remains effective despite three years of awareness, and what defenders should look for.

The technique

OAuth / SSO flows typically open a popup window for authentication. Attackers create a phishing page that uses CSS/HTML to render a fake popup inside the same browser tab — complete with chrome, URL bar showing legitimate URL, padlock icon. The “popup” is actually a styled div in the attacker’s page.

The user interacts with what they think is a Google / Microsoft sign-in popup. Their credentials and MFA flow through the attacker’s HTML form.

Why it works

• Users trained to “check the URL” check the URL of the fake window — which says accounts.google.com
• The real browser URL bar (which shows the attacker’s domain) is partially obscured, especially on mobile
• Modern phishing kits replicate the OAuth popup’s look pixel-perfectly across multiple OS / browser combinations
• Users have been trained to expect OAuth popups; the muscle-memory response is to enter credentials

Detection — what works

• URL inspection — the real browser URL bar tells the truth, but users miss it. Awareness training helps but is fragile.
• Drag the popup outside the browser window — a real OS-level popup is a separate window and can be dragged away from the parent. A BitB fake popup is an HTML element bound to the page; dragging is constrained.
• Browser security extensions — uBlock Origin with phishing rules, Microsoft Defender for Endpoint browser protection, similar tools flag known BitB pages.
• Email security — link detonation in sandboxes can detect BitB rendering at the destination.

The structural fix — passkeys

Passkeys (FIDO2 over WebAuthn) defeat BitB the same way they defeat AiTM phishing. The passkey is bound to the legitimate origin. When the user’s authenticator is asked to sign in, it checks the actual page origin (the attacker’s domain) — not the URL displayed in the fake popup. The credential isn’t released because the origin doesn’t match.

If users sign in via passkey, BitB is structurally unable to capture credentials. Phishing of any kind that requires the user to type a credential or approve an MFA prompt becomes obsolete.

The 2026 reality

• BitB phishing is widely used in commodity phishing kits
• Awareness training reduces but does not eliminate clicks
• Passkey adoption is growing but slow
• Indian banking apps and fintech increasingly require passkey for high-value transactions

Defender priorities

1. Roll out passkeys for administrators and high-value accounts
2. Email security with link detonation that catches BitB
3. Awareness training including BitB demos (show users the fake-popup trick — they remember when they see it)
4. Browser policies (Edge / Chrome enterprise) that block known phishing domains
5. SIEM rules for sign-ins from unusual user-agent strings or geographic patterns

The takeaway

BitB phishing is a 2022 disclosure that remains effective in 2026 because user training does not scale and the fake popup is convincing. The structural fix is passkeys / FIDO2 — origin-bound authentication that cannot be tricked. Every phishing-defence conversation in 2026 should end with “and we’re rolling out passkeys” because nothing else durably solves the bug class.