Palo Alto Networks Unit 42 has reported a Browser-in-the-Browser phishing campaign that targets Microsoft 365 users with fake login popups built to look like real browser authentication windows. The lure is simple and familiar: click a Microsoft sign-in button, and a standard-looking prompt appears with a spoofed Microsoft OAuth URL and a login form designed to capture credentials.
The timing matters because Microsoft 365 users remain a steady target, and this campaign is not relying on a crude copy of a login page. The popup can be dragged around the screen, includes back, refresh, minimize and close buttons, and changes its appearance to match Windows, macOS or Linux, as well as Chrome, Firefox, Edge or Safari. That tailoring helps the fake window blend into the system the victim is actually using, which is exactly why these pages can work even when people think they are watching closely.
Unit 42 said the spoofed URL in the address bar is carefully constructed to look like a real OAuth flow. That matters because OAuth-based sign-ins are common enough that many users do not pause when they see a familiar-looking authorization screen. In this campaign, the login experience is wrapped in a sandboxed iframe, while the visible text is split up to help it slip past simple keyword checks. The result is a page that looks ordinary to a person and less obvious to basic automated filters.
The most revealing detail is that the page does not behave the same way for everyone who opens it. It identifies the operating system and browser in use, then serves the version that matches the visitor. At the same time, it redirects suspected bots and automated scanners to a legitimate Microsoft Office help page instead of exposing the phishing content. That kind of split behavior is a warning sign in itself: the page is trying to be both convincing to a human and invisible to a machine.
That is why the campaign sits in the same threat lane as earlier warnings about Kali365, a phishing-as-a-service platform the FBI said last month could steal Microsoft 365 access tokens and bypass MFA through device code phishing. Different technique, same target, and the common thread is access to Microsoft 365 accounts through a sign-in flow that looks normal until it is too late. Unit 42 has published a list of domains tied to the campaign, but the key question for users is less about the names than the pattern: any login window that suddenly appears inside the browser, matches the device, and nudges you toward a Microsoft sign-in should be treated with caution.
