What Is a Browser in the Browser Attack (BitB)?
Written by: Lizzie Danielson
Published: 7/9/2026
FAQs
It's a fake pop-up login window built with code to look exactly like a real browser sign-in prompt, designed to steal your username and password.
Regular phishing usually sends you to a fake website with a suspicious URL. BitB keeps you on the original page and fakes the pop-up window instead, so the address bar you'd normally check never actually changes.
It can capture whatever you type into the fake window, including one-time codes from weaker MFA methods. Phishing-resistant MFA, like a hardware security key or passkey, is much harder for a BitB attack to defeat.
Try to drag the window outside the browser's edges. A real pop-up window will move freely; a fake BitB window is trapped inside the page and won't cross the border.
Anyone who regularly signs in Google, Microsoft, Apple, or Facebook is a target, but businesses that rely heavily on SSO for employee logins face higher stakes, since one stolen credential can open the door to several connected systems.