Browser-in-the-Browser (BitB) Phishing Campaign

24 June 2026

By Rikesh Vekaria

Campaign Overview

The Mimecast Threat Research team has identified a phishing technique that leverages Browser-in-the-Browser (BitB) attacks to harvest credentials. Unlike traditional phishing pages, this method simulates an authentic browser popup window within the victim's actual browser, creating an additional layer of visual legitimacy that makes detection significantly more challenging for end users. The attack works by drawing a fake desktop window complete with title bar, window controls, padlock icon and address bar while loading the actual phishing content inside an iframe element. This creates the illusion that users are interacting with a legitimate authentication popup from a trusted service, when in reality they're viewing attacker-controlled content.

Campaign Flow

Stage 1: Bot Filtering

The attack begins with an initial verification page designed to filter out automated security scanners and bot traffic. This preliminary checkpoint prevents security tools from reaching the credential harvesting page, similar to techniques observed in recent CAPTCHA-based phishing campaigns.

 

Stage 2: Loading Screen

Once the initial verification is passed, victims are presented with a loading screen that appears to initialize a document or service. This creates a sense of legitimacy and provides the infrastructure time to prepare the BitB window.

 

Stage 3: BitB Window Display

The final stage presents the fake browser window. Instead of sending victims directly to a login form, the page renders a simulated desktop window with all the visual cues of a legitimate browser popup. The fake address bar displays a convincing URL format such as mail.customerdomain.com/login, while the actual page URL and iframe source both point to attacker infrastructure.

Technical Analysis

Obfuscated Configuration

The attack employs base64 encoding to hide sensitive strings from static security scanners. Configuration values are stored as encoded constants rather than plain text, preventing immediate detection of phishing URLs or impersonated domains.

The nested document parameter decodes to a pre-seeded victim mailbox (e.g. user@customer domain), passed to the phishing router to personalize the login page.

A Unicode-safe decoder handles non-ASCII characters after base64 decoding:

display_mode is set to 'iframe', selecting the popup-window layout over a full-page iframe alternative.

Visual Deception Through CSS

The attack uses CSS styling to replicate authentic browser chrome. Key design elements include:

• Fixed positioning with high z-index (99999) to float above all page content
• 31-pixel gray title bar with flex layout matching Windows-style window controls
• Padlock SVG in the fake address bar to simulate a secure connection
• Color-coded URL rendering (black domain, gray path) mirroring how real browsers display URLs
• Drop shadow effects to add depth and realism to the fake window. The iframe content is scaled to 90% with compensating width and height adjustments, ensuring the login form displays cleanly without revealing scrollbars or layout issues.

Interactive Window Controls

To enhance believability, the fake window includes functional controls:

Draggable title bar allowing users to reposition the window

Close button that temporarily hides the window but reopens after 1.5 seconds

Maximize toggle that resizes the window between 40% and 70% width

Hover states on window controls, with the close button turning red to match Windows conventions

These interactive elements create a convincing user experience that mimics legitimate browser behavior.

Cross-Frame Communication

After credential submission, the phishing backend can instruct the parent page to navigate away using the postMessage API.
The iframe sends a redirect command to the parent window, which then navigates to a specified URL typically a legitimate site to avoid suspicion.

Notably, the message listener does not validate the origin of incoming messages.

End-to-End Sequence

Mimecast Protection

We have identified several attributes in BitB campaigns that have been added to our detection capabilities. We continue to monitor for changes in techniques used by threat actors employing visual spoofing methods.

Targets:

Campaign targeting information is currently under investigation. Based on initial findings UK businesses within the Finance industry appear to be more targeted.

Indicators of Compromise (IOCs)

Malicious Domains

• london.mailedattachment[.]com
• Secure.hekjone[.]com/fileshareable

IP Addresses

• 185.208.156.251 (credential collection endpoint)

Recommendations

User Awareness Training

• Educate employees on the specific characteristics of this campaign
• Train staff to verify the actual browser address bar rather than any address bar displayed within page content
• Educate users that legitimate SSO popups cannot be moved or have window controls within a browser tab
• Conduct phishing simulations that include BitB scenarios to test user recognition

Proactive Threat Hunting

• Search email receipt logs using the IOC’s listed

Conclusion

Browser-in-the-Browser attacks represent a significant evolution in phishing sophistication, leveraging visual deception to bypass user awareness and exploit trust in familiar UI patterns. The technique's effectiveness stems from its ability to simulate legitimate authentication flows with remarkable accuracy, making it challenging for users to distinguish real from fake. As BitB techniques continue to evolve and spread across threat actor ecosystems, security teams should remain vigilant for new variations and infrastructure patterns associated with these campaigns.