{ "id": "19a8b2b4-fe0c-4e8a-8a11-d9b8c349b2b8", "created_at": "2026-04-18T02:22:26.267797Z", "updated_at": "2026-04-18T02:22:37.359887Z", "deleted_at": null, "sha1_hash": "6e72bcb7aaa5adcdeb713c85f60a5a7470cfba5e", "title": "Security Research | mr.d0x", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 156407, "plain_text": "Security Research | mr.d0x\r\nArchived: 2026-04-18 02:08:29 UTC\r\nThis article explores a phishing technique that simulates a browser window within the browser to spoof a\r\nlegitimate domain.\r\nIntroduction\r\nFor security professionals, the URL is usually the most trusted aspect of a domain. Yes there’s attacks like IDN\r\nHomograph and DNS Hijacking that may degrade the reliability of URLs but not to an extent that makes URLs\r\nunreliable.\r\nAll of this eventually lead me to think, is it possible to make the “Check the URL” advice less reliable? After a\r\nweek of brainstorming I decided that the answer is yes.\r\nPop-Up Login Windows\r\nQuite often when we authenticate to a website via Google, Microsoft, Apple etc. we’re provided a pop-up window\r\nthat asks us to authenticate. The image below shows the window that appears when someone attempts to login to\r\nCanva using their Google account.\r\nhttps://mrd0x.com/browser-in-the-browser-phishing-attack/\r\nPage 1 of 5\n\nReplicating The Window\r\nFortunately for us, replicating the entire window design using basic HTML/CSS is quite simple. Combine the\r\nwindow design with an iframe pointing to the malicious server hosting the phishing page, and its basically\r\nindistinguishable. The image below shows the fake window compared with the real window. Very few people\r\nwould notice the slight differences between the two.\r\nhttps://mrd0x.com/browser-in-the-browser-phishing-attack/\r\nPage 2 of 5\n\nJavaScript can be easily used to make the window appear on a link or button click, on the page loading etc. And of\r\ncourse you can make the window appear in a visually appealing manner through animations available in libraries\r\nsuch as JQuery.\r\nDemo\r\nhttps://mrd0x.com/browser-in-the-browser-phishing-attack/\r\nPage 3 of 5\n\nCustom URL on-hover\nHovering over a URL to determine if it’s legitimate is not very effective when JavaScript is permitted. HTML for\na link generally looks like this:\n[Google](https://gmail.com) If an onclick event that returns false is added, then hovering over the link will continue to show the website in the\nhref attribute but when the link is clicked then the href attribute is ignored. We can use this knowledge to\nmake the pop-up window appear more realistic.\n[Google](https://gmail.com) function launchWindow(){\n // Launch the fake authentication window\n return false; // This will make sure the href attribute is ignored\n}\nAvailable Templates\nhttps://mrd0x.com/browser-in-the-browser-phishing-attack/\nPage 4 of 5\n\nI’ve created templates for the following OS and browser:\r\nWindows - Chrome (Light \u0026 Dark Mode)\r\nMac OSX - Chrome (Light \u0026 Dark Mode)\r\nThe templates are available on my Github here.\r\nConclusion\r\nWith this technique we are now able to up our phishing game. The target user would still need to land on your\r\nwebsite for the pop-up window to be displayed. But once landed on the attacker-owned website, the user will be at\r\nease as they type their credentials away on what appears to be the legitimate website (because the trustworthy\r\nURL says so).\r\nSource: https://mrd0x.com/browser-in-the-browser-phishing-attack/\r\nhttps://mrd0x.com/browser-in-the-browser-phishing-attack/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://mrd0x.com/browser-in-the-browser-phishing-attack/" ], "report_names": [ "browser-in-the-browser-phishing-attack" ], "threat_actors": [], "ts_created_at": 1776478946, "ts_updated_at": 1776478957, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6e72bcb7aaa5adcdeb713c85f60a5a7470cfba5e.pdf", "text": "https://archive.orkl.eu/6e72bcb7aaa5adcdeb713c85f60a5a7470cfba5e.txt", "img": "https://archive.orkl.eu/6e72bcb7aaa5adcdeb713c85f60a5a7470cfba5e.jpg" } }