Fbi Microsoft 365 Phishing Alert Warns of Fake Login Popups
fbi microsoft 365 phishing alert: Palo Alto Networks Unit 42 says a Browser-in-the-Browser phishing campaign is targeting Microsoft 365 users with fake login popups that imitate browser authentication windows. The page builds a convincing Microsoft sign-in prompt inside the browser itself. The result is a credential trap that can look normal at a glance.
Unit 42 fake Microsoft sign-in
Victims who click a Microsoft sign-in button are shown a standard-looking authentication prompt with a spoofed Microsoft OAuth URL and a login form. Unit 42 said, "The spoofed URL in the address bar is carefully constructed to look like a real OAuth flow," which means the fake page is trying to mimic the part users are most likely to trust before entering a password.
The popup can be dragged around the screen. It also includes back, refresh, minimize, and close buttons. That makes it behave more like a browser window than a static fake page, which can lower the chance that a rushed user notices the trick before typing credentials.
Windows macOS Linux browsers
The phishing page identifies the operating system and browser in use. It then adjusts the popup to match Windows, macOS, or Linux. It also matches Chrome, Firefox, Edge, or Safari, so the same scam can fit the look of the device in front of the victim.
The campaign also overrides browser console functions. It breaks visible text strings into pieces to get past simple keyword-based checks. It routes suspected bots and automated scanners to a legitimate Microsoft Office help page instead of the phishing content, which adds another layer of concealment.
Microsoft 365 token theft context
Last month, the FBI warned about Kali365, a phishing-as-a-service platform that enables attackers to steal Microsoft 365 access tokens and bypass MFA through device code phishing. That earlier warning shows Microsoft 365 users remain a repeated target, and it gives this new campaign a familiar target set rather than an isolated one-off page.
Unit 42 also published a list of domains associated with the campaign. For anyone handling Microsoft 365 logins, the practical response is to treat popups that appear inside a webpage as suspect, especially when the address bar, login form, and window controls all look polished enough to pass on first glance.
