Attacks based on social engineering are, today, the ones that cause the most headaches for companies and users. Human behavior in new scenarios is unpredictable., and that curiosity combined with haste opens the door to tactics that, without touching your network or your computer, end up stealing sessions and sensitive data. Within this catalog, the so-called Browser-in-the-Middle (BIM) attacks stand out for their operational simplicity and effectiveness. They mimic legitimate interfaces and take control of what you do from the browser itself., capturing credentials, access tokens, and even authentication codes, with cloned pages that look real down to the last pixel.
What is a Browser-in-the-Middle (BitM) attack?
A Browser-in-the-Middle attack allows an attacker to control, in real time, a user's session through the website they are using. No need to compromise your device or local network: It uses a transparent web environment that acts as an intermediary between the victim and the legitimate service.
This intermediary is a cloned page, as reliable as the original, that channels user interactions. As soon as you enter your username, password or approve your MFA, the attacker can capture cookies, JWT tokens, OAuth tokens, and other session authentication artifacts.
Key differences with MitM, MITB and BitB
Classic MitM operates at the network level: it intercepts packets between client and server using techniques such as ARP spoofing or malicious certificates. BitM, on the other hand, acts at the browser layer, through fake interfaces that deceive the eye and capture the session without touching the transport channel.
MITB, Man-in-the-Browser, is another well-known variant in which a Trojan embeds itself in the victim's browser and manipulates transactions. In MITB the attacker compromises the browser with malware and uses C2 to activate specific templates, for example online banking, which differs from BitM, which relies on a transparent remote browser.
BitB, Browser-in-the-Browser, is a visual phishing technique. Simulates a login popup within the page itself, especially for startups with Google, Facebook or similar, without actually going to a legitimate authentication domain.
Differential features of the BitM
- Browser control: does not require installing malware on the victim's computer.
- Visual and functional interception: The attacker sees and manipulates what the user does in real time.
- Session and token capture: Cookies, JWT and OAuth tokens are accessible to the attacker.
- MFA Evasion- If the user has already authenticated, the active session can be reused.
- High Fidelity: The cloned pages are almost indistinguishable from the originals.
How a BitM is executed
The starting point is usually a malicious link sent by email, SMS, or social media. A click leads to a cloned page that acts as a visual proxy between the user and the real service, usually hosted in a container controlled by the attacker.
Campaigns have been observed that insert links into videos on social platforms to redirect to fake banking or webmail portals. By entering additional factor credentials and tokens, are instantly captured and reused to hijack the session.
Typical phases of the attack
- Phishing: The victim reaches the attacker's server from a seemingly legitimate hyperlink and authenticates a controlled web application.
- Transparent browser: Using JavaScript and proxying, the victim operates a remote browser that records keystrokes and session flows.
- Application abuse: Once inside, the attacker reuses the session for unauthorized actions such as password changes or transfers.
Session tokens, cookies, and the reality of MFA
Once you pass MFA, sites issue session tokens that allow you to continue without re-verifying your identity. If that token is stolen, the session is stolen., so the MFA loses its effect for that specific context.
In BitM architectures, tokens and cookies can be captured in real time and sent to the attacker's servers. This reduces the adversary's operational friction., which provides quick, minimal-preparation access to internal accounts and dashboards.
Additionally, some OAuth flows are targeted preferentially, as they allow cross-access to multiple services. Cookies with Secure and HttpOnly flags make access by scripts difficult, but if the attacker acts as a browser man-in-the-middle, session reuse is still viable.
Risk scenarios and attack surfaces
Public or poorly configured Wi-Fi hotspots are a magnet for these types of campaigns. Open networks facilitate SSID spoofing and automatic default connections, which lead to fake portals and controlled flows.
In corporate local networks, the danger exists if an attacker manages to infiltrate the LAN. From there you can orchestrate redirects and manipulate DNS resolutions. to direct the user to mirror pages without raising suspicion.
Outdated software is also a vector. Browsers and extensions with known issues allow script injections, silent redirects, or privilege escalations in the context of the browser.
BitB or Browser-in-the-Browser: embedded window phishing
With BitB, the attacker recreates a login pop-up window within the page itself. The goal is to make it look like a typical third-party access window., but it is an embedded rendering without leaving the malicious domain.
- Alarm signs: : no new window appears in the taskbar, the box does not allow resizing, the address bar cannot be edited.
- Strange persistence- If you minimize the main window and the pop-up disappears with it, it is not a real window.
- Drag behavior: When you move the popup out of the browser border, it gets stuck inside the main browser.
In these scenarios, entering a username and password is equivalent to handing them over to an attacker's server. Subsequent redirection to the official page does not undo the damage., because the credentials have already been exfiltrated.
MITB or Man-in-the-Browser: Trojans that hijack your browser
MITB is an evolution of the classic MitM applied specifically to the user's browser. It starts with a Trojan infection which communicates with a command and control server to download target configurations, often banking portals.
Once active, the Trojan monitors user traffic and, upon detecting a targeted site, inserts fake screens or modifies transactions. As the access is to the real site and after login, even one-time passwords may be insufficient to stop further manipulation.
Incidents in online banking involving this approach have historically been documented, with public notoriety in the past decade. MITB tools have been extended to more sectors and are relatively accessible on underground forums.
Good practices for users
Before entering credentials or banking information, look at the URL closely. Avoid shortened links or links from sources that do not inspire confidence. and manually type in the domain when in doubt.
Always activate two-step verification whenever possible. Although BitM can reuse sessions, adding friction to the attacker complicates success if you don't capture the token in time.
Be wary of public Wi-Fi networks for sensitive operations. If you have no other option, use a trusted VPN., avoid critical services and never use free VPNs from dubious sources.
Keep your operating system and browser up to date, and limit extensions to a minimum. Install security solutions and run them with updated signatures to minimize exposure to malware and adware.
A password manager helps you avoid falling for fake sites: If the extension does not offer autocomplete on a suspicious form, is a clue that you are not on the legitimate domain.
Technical controls for organizations
Boost sessions with short-lived tokens and dynamic rotation. Fast expiration reduces the window for abuse if a token is stolen.
Consider browser isolation for risky sites, whether with local containers or remote services. This layer limits the impact of malicious pages and separates potentially dangerous content from the work environment.
Implement UEBA to detect behavioral anomalies and SIEM to correlate events. Alerts for logins from atypical locations or device changes help cut off hot intrusions.
Adopt Zero Trust principles: access based on context, not implicit trust. Continuous verification, segmentation, and least privilege make life difficult for the attacker who has stolen a session.
Encrypt communications with HTTPS on all services and enforce HSTS. On endpoints, prioritize hardening, patching, and antivirus, and protects the LAN with firewalls, IDS and IPS on UTM gateways.
Monitor active sessions and enable forced revocation if suspicious. Log and audit credential, MFA, and device changes allows you to respond quickly to session hijackings.
Password Policies and MFA
Passwords remain a vital element of MFA, despite new tactics. Robust policies in corporate boards with verification against leaked key lists, they raise the bar.
There are commercial solutions that combine Active Directory password management with high-security MFA. This type of tool reinforces the login moment and the post-login, reducing the risk of using weak or compromised credentials.
Extensions, privacy, and visual detection
Reputation extensions that block dangerous domains provide a useful layer in the browser. Adjust privacy to minimize exposed data by default and disable unnecessary permissions on extensions.
For the specific case of BitB, remember manual testing: try resizing the popup, drag it off the edge and see if it persists when minimizing the main window.
Infrastructure, encryption and networks
End-to-end encryption is the foundation, but not the panacea, against BitM. Protects mail, DNS, messaging, and access points to make the initial jump to a fake page more difficult to orchestrate.
On corporate networks, separate guests from the internal network and apply strong authentication to Wi-Fi. WPA2 or higher with strong passwords, segmentation and access control lists reduce the attack surface.
Tests and answers
Run quarterly Red Team exercises that include browser hijacking scenarios. These tests uncover gaps in processes and controls that do not appear in cold audits.
Defines procedures for session revocation, credential reset, and user notification. The sooner a stolen token is invalidated, the smaller the scope of the incident.
Framework and vulnerabilities
Catalogs such as CAPEC-701 document the Browser-in-the-Middle pattern. Stay up to date with browser and extension vulnerabilities It is also essential to close doors to injections and redirections.
Examples of recent flaws that allow scripts to be executed or source validations to be bypassed have been cited in the technical literature. References such as CVE-2025-29966 and CVE-2025-29967 have been mentioned. in analysis of vectors that facilitate compromise of the browser context.
Support and training services
Awareness is a pillar that should not be neglected. Phishing simulation programs and practical training reduce the click-through rate on malicious links and improve early detection.
For users in Spain, the Cybersecurity Helpline 017 offers free and confidential guidance. Consulting when in doubt can prevent greater evils when suspicious behavior is detected in the browser.
Cases and observed trends
Campaigns have been seen spreading BitM kits through popular social media, including embedded links pointing to fake websites. The success of these campaigns is based on interface fidelity and psychological urgency. that they cause in the victim.
Research by threat intelligence teams has documented session hijacking on a massive scale, with a particular focus on cloud application tokens. When the legitimate service is served through the attacker-controlled browser, it is difficult for the victim to distinguish between the copy and the original.
References and recommended readings
- Ja1ir4m, Browser in the middle attack BitM: The perfect storm for browser hijacking. Medium. URL: medium.com
- The Hacker News, Hackers Use TikTok Videos to Distribute Browser-in-the-Middle Attack Toolkit. URL: thehackernews.com
- The Hacker News, How Browser-in-the-Middle Attacks Steal Sessions. URL: thehackernews.com
- The Hacker News, Here's How Hackers Could Hijack your HTTPS Cookies. URL: thehackernews.com
- Google Cloud Threat Intelligence, Session Stealing: Browser-in-the-Middle. URL: cloud.google.com
- CYPTD, Beware of the Browser-in-the-Middle Attack. URL: cyptd.com
- MITER, CAPEC-701: Browser-in-the-Middle Attack. URL: capec.mitre.org
- Boffo and Arfaoui, Browser-in-the-Middle BitM Attack. URL: researchgate.net
The picture drawn by BitM, MITB and BitB is clear: Attackers are increasingly playing on the browser and perception front., where the line between real and fake blurs. With prudent habits, fine-tuned technical controls, and ongoing training, it's perfectly feasible to greatly reduce the likelihood of falling into these traps and limit the damage if they occur.