What Is a Browser in the Browser Attack (BitB)?

Written by: Lizzie Danielson

Published: 7/9/2026

woman at laptop

A browser in the browser attack (BitB) is a phishing technique that fakes an entire browser pop-up window, address bar and all, inside a webpage you're already viewing. It tricks you into typing your username and password into what looks like a legitimate sign-in prompt, when you're really handing your credentials straight to a threat actor.

Many users double check the address bar before typing in a password. It's good advice, and it's stopped a lot of phishing attempts over the years. A BitB attack gets around that habit entirely by faking the address bar itself, right down to the padlock icon that would normally indicate HTTPS encryption.

Key Takeaways

  • In a BitB attack, a threat actor uses HTML, CSS, and JavaScript to build a fake login pop-up that copies a real single sign-on (SSO) window, like the ones you see for "Sign in with Google" or "Log in with Microsoft."
  • BitB attacks target the trust people place in SSO logins, so anyone who regularly signs into Google, Microsoft, Apple, or Facebook is a potential target.
  • You can catch a BitB pop-up by trying to drag it outside the browser window. A real pop-up moves freely. A fake one gets stuck at the edge.

How a browser in the browser attack works

A BitB attack starts the same way a lot of phishing does: with bait. A threat actor sets up a fake or cloned website, maybe advertising a job opening, a shopping deal, or a document you need to review. From there, the attack usually plays out in a few steps:

  1. You land on the attacker's page. The link might arrive through a phishing email, a malicious ad, or a post on social media.
  2. You see a familiar sign-in option. The page offers a "Sign in with Google," "Continue with Microsoft," or similar SSO button, just like thousands of legitimate sites do every day.
  3. A pop-up window opens. It looks exactly like the real thing: a window frame, a title bar, and a URL that reads something like accounts.google.com, complete with the padlock icon.
  4. You type in your credentials. Since everything on the screen looks normal, you sign in like you always would.
  5. Your credentials go to the attacker. The window was never a separate browser process. It's an image and an iframe built with code, and the "form" sends your username and password directly to the threat actor's server.

The technique gets its name from a security researcher who goes by mr.d0x, who published the concept in March 2022 and showed how modern web code can replicate a browser window closely enough to fool the eye. Within weeks, researchers found the same method already in use against gamers, and it's shown up in credential theft campaigns targeting businesses and government agencies ever since.

Why BitB attacks are so hard to spot

Most phishing training tells people to check the URL before they log in. That advice works great against a typical fake website, where the address bar shows a suspicious domain. BitB flips that logic. The real browser window and its real address bar never change, because you never actually left the original page. The "second browser" is just a very convincing picture.

BitB is especially dangerous for growing businesses that lean on SSOn to keep logins simple. The more familiar and trusted an SSO pop-up feels, the less people question it, and threat actors are counting on that muscle memory.

Real-world examples

BitB isn't just a theory. In 2020, well before the attack had a name, Zscaler documented threat actors using the technique to steal Steam credentials through fake Counter-Strike: Global Offensive skin trading sites. After mr.d0x published open-source templates in 2022, security teams began spotting BitB used more broadly, including phishing kits that impersonated Microsoft and Google sign-in pages and campaigns aimed at government ministry websites. The pattern is consistent: Attackers build a convincing pop-up, then let the promise of a login or reward do the rest of the legwork.

How to protect your business from BitB attacks

You can't fix this with URL-checking habits alone, so layer in a few extra defenses:

  • Use a password manager. These tools autofill credentials based on the real, underlying domain, not what a fake window displays. If your password manager doesn't offer to autofill on a certain webpage, that's a red flag.
  • Try dragging the pop-up. A genuine browser window can move freely across your screen and even off the edge of your monitor. A fake BitB window will get stuck inside the parent page.
  • Turn on multi-factor authentication (MFA) and choose phishing-resistant options where you can. Phishing-resistant MFA, such as FIDO2 or passkeys, this protects accounts even when a password gets phished.
  • Train your team to slow down on SSO prompts. A pop-up that appears instantly, looks slightly off, or asks for credentials on a page you didn't expect is worth a second look before typing anything in.
  • Keep browsers and endpoint protection current. Updated browsers and managed detection tools such as Huntress Managed Endpoint Detection and Response are more likely to flag the scripts and iframes that BitB pages depend on.

Conclusion

A BitB attack fakes the one thing most of us are taught to trust: the browser window itself. By building a realistic pop-up with a spoofed address bar, threat actors turn a familiar SSO habit into a credential-stealing trap. You won't catch every BitB attempt just by eyeballing a URL, so pair user awareness with phishing-resistant MFA, password managers, and layered endpoint protection to keep one fake pop-up from turning into a full account takeover.

Technology alone won't stop a well-built fake login window. Your team needs to know what a BitB attempt looks like and what to do the moment something feels off. Huntress Managed Security Awareness Training gives your employees threat-intel-driven phishing simulations, Phishing Defense Coaching, and behavior-based assignments so they get real-world practice spotting tricks like BitB before they hand over credentials.

And the Huntress phishing protection stack—including Managed SAT, Managed EDR, Managed ITDR, and Managed SIEM—helps you prevent, detect, and shut down phishing-driven attacks before one stolen login turns into a full account takeover.

FAQs

It's a fake pop-up login window built with code to look exactly like a real browser sign-in prompt, designed to steal your username and password.

Regular phishing usually sends you to a fake website with a suspicious URL. BitB keeps you on the original page and fakes the pop-up window instead, so the address bar you'd normally check never actually changes.

It can capture whatever you type into the fake window, including one-time codes from weaker MFA methods. Phishing-resistant MFA, like a hardware security key or passkey, is much harder for a BitB attack to defeat.

Try to drag the window outside the browser's edges. A real pop-up window will move freely; a fake BitB window is trapped inside the page and won't cross the border.

Anyone who regularly signs in Google, Microsoft, Apple, or Facebook is a target, but businesses that rely heavily on SSO for employee logins face higher stakes, since one stolen credential can open the door to several connected systems.

Protect What Matters

Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.
Try Huntress for Free