Archwood IT · Security Awareness

This login window is a window.
It's a drawing.

Browser-in-the-Browser phishing paints a fake Microsoft sign-in inside the web page. It looks flawless. But there's one thing it can never do — and once you've seen it, you'll catch it every time.

Step 1 — You've been sent a document. Click Sign in with Microsoft below.
docs-share-portal.com/view/Q3_Supplier_Pricing
PDF

A document was shared with you

Q3_Supplier_Pricing.pdf · 1.2 MB

This file is protected. Sign in with your Microsoft account to view it.

A real window wouldn't stop here
The window edgeIt can't leave the page. A real login window can move anywhere on your screen — even to a second monitor.
The address barIt's a picture. You can't click into it or edit it. A genuine browser bar belongs to the browser, not the page.
The buttonsClose, minimise, maximise — none of them do anything. They're painted on.

The giveaway

A real window is free. A fake one is trapped.

When Microsoft genuinely asks you to sign in, it opens as its own window — part of your computer, not part of the page. You can drag it off the website, shrink it, or push it onto another screen. The fake in the demo above is just shapes drawn on the page, so it's stuck inside the page forever. That single difference is the tell that never lies.

The fake — drawn in the page

Browser-in-the-Browser

  • Can't be dragged outside the web page
  • The address bar is an image you can't edit
  • Close / minimise buttons do nothing
  • Appears straight after clicking an email link
  • Vanishes if you scroll or resize the page
The real thing — your computer's window

A genuine sign-in

  • Opens as a separate window you can move anywhere
  • Has a real address bar you can click and read
  • Buttons actually close and resize it
  • You started it yourself by going to the app
  • Often it's your phone's Authenticator, not the browser at all

Three things to check

If a login appears, slow down and look.

01

Did you start it?

If a Microsoft login popped up because you clicked a link in an email, be suspicious. Reach Microsoft 365 yourself through the app or by typing the address.

02

Can you move it off the page?

Try dragging the window away from the website. A real one comes free. A fake one bumps against the edge of the page and stops.

03

Is the address bar real?

Click into the address bar and read the full web address. If you can't click it, or it won't let you edit it, it isn't a browser bar — it's part of the trap.

Why it matters

This is how attackers get past your login code.

The moment you'd type your password and approve your code into a fake window like this, an attacker captures both — in real time — and walks straight into your account, even though you did everything "right" with multi-factor authentication. That's why spotting the fake window beats trusting the code.

If you think you've entered details into something suspicious: don't panic, and don't keep it to yourself. Contact IT straight away — the sooner we know, the faster we can lock the account down. You will never be in trouble for reporting it.

What to do

Three habits that keep you safe.

Go there yourself

Never sign in from a link in an unexpected email. Open Microsoft 365 from the app or type the address into your browser.

Deny surprise prompts

If your phone asks you to approve a sign-in you didn't start, deny it — that's an attacker, not you.

Report it

Not sure about an email or a login page? Send it to the helpdesk before acting. We'd far rather check ten safe ones than miss the real thing.