This project demonstrates how the BitB (Browser-in-the-Browser) phishing technique works in combination with Evilginx2, for the purpose of research, simulation, and training on phishing detection.
All data entered by the user is collected locally on a Node.js backend server for analysis and demonstration purposes.
Upon visiting the page, the user is presented with two login options:
- Sign in with Microsoft
- Sign in with Gmail
When the user clicks one of these buttons, a fake browser window is displayed inside an iframe. Despite showing legitimate domain names in the address bar (e.g. https://login.microsoftonline.com, https://accounts.google.com), the content is actually rendered from a custom HTML template under our control.
In this simulation, we continue by selecting Sign in with Microsoft.
The fake browser window prompts the user to interact with a cloned Microsoft login page:
When the user clicks "Yes", the iframe closes and the entered credentials are sent to the backend, where they are stored in a .txt file on the attacker's local machine.
This BitB phishing simulation can be extended with Evilginx2 to:
- Perform real-time MITM attacks using predefined phishlets
- Capture session cookies (JWT, bearer tokens, etc.)
- Evade 2FA and gain persistent session access
Evilginx2 acts as a reverse proxy to handle real authentication endpoints, while the BitB frontend handles the visual deception and interaction layer.
This project is intended only for educational, awareness, and authorized testing purposes. Unauthorized use of this tool against third parties without explicit permission is strictly prohibited and may violate local or international laws.