New Browser-in-the-Browser Phishing Attack to Steal Microsoft 365 Logins - Cyber Security News

A sophisticated Browser-in-the-Browser phishing campaign uses fake, draggable popups to steal Microsoft 365 login credentials and OAuth consent grants. Attackers evade detection by mimicking legitimate browser behavior, making it critical for users to employ phishing-resistant authentication like FIDO2 keys and monitor for unauthorized session access.