Phishing Method Using the Microsoft WebView2 software, a security researcher has devised a new phishing tactic. This new approach can bypass MFA and steal login cookies, posing significant threats to the organization and individual users.

Phishing Method was discovered by security researchers, mechanism using Microsoft Edge’s WebView2 program to steal users’ authentication cookies, allowing an attacker to access stolen accounts without using multi-factor authentication (MFA).

Stolen user credentials have proliferated online due to database breaches, malware-based credential leaks, and phishing attempts. Both enterprise and individual users are using multi-factor authentication (MFA) to add a layer of protection to the login process. With the introduction of this approach, attackers may now target one-time MFA codes and security numbers.

Mr.D0x, an ethical hacker, is responsible for disclosing this vulnerability in Microsoft WebView. Earlier this year, he invented the Browser-in-the-Browser (BitB) attack technique. (source: https://mrd0x.com/attacking-with-webview2-applications/)

How does a Phishing Method using Microsoft WebView2 bypass get around MFA?

According to Mr. D0x’s proof of concept, “WebView2-Cookie-Stealer” injects malicious JavaScript code into the URLs loaded in the app using Microsoft WebView 2. Mr. D0x demonstrated this by inserting a JavaScript keylogger into the original Microsoft login form. This login form is shown using Microsoft WebView2.

The webpage will appear normal for users. However, a malicious JavaScript code is running in the background, capturing everything the user enters/types into those fields. The data is then sent to the designated web server.

Microsoft WebView2 allows attackers to embed a web browser into native apps that use Microsoft Edge. Using the full capabilities of HTML, JavaScript and CSS (which uses Chromium as the browser’s rendering engine). This method allows programs to load any webpage within a native app, making it appear as if it was launched in Microsoft Edge.

The way WebView2 combines JavaScript code allows attackers to collect login cookies, including authentication codes provided by the application’s remote server when the user logs in.

According to the researcher, “WebView2 also has cookie extraction capabilities. After a user authenticates onto a genuine website, an attacker can extract cookies. This approach eliminates the need to launch Evilginx2 or Modlishka but requires the user to run and authenticate the program.”

This cookie stealing approach can also import and extract cookies using the EditThisCookie Chrome plugin. The attack can also export the website’s successfully authorized cookies using the built-in WebView2 interface “ICoreWebView2CookieManager”. The most severe and disturbing part of this approach is that it can completely bypass multi-factor authentication (MFA) and hijack one-time passwords and security keys by compromising cookies after the user logs in.

“Other security measures must be taken to protect accounts and defend organizations against attacks,” said Erich Kron, a security awareness advocate at KnowBe4 Inc. He went on to say that this could lead to a victim engaging in risky behaviour and that it just takes one software (downloaded from the internet) to launch the attack.


To avoid such risks, organizations should discontinue using Microsoft Edge and apps that use Microsoft WebView2. In addition, because one-time passcodes and security keys are no longer appropriate for MFA and enhanced security, users should employ biometric authentication as 2FA.

Finally, organizations should use current authentication procedures such as risk-based authentication (RBA) or adaptive authentication approaches to prevent unauthorized access to the system.

Last thoughts about this Phishing Method

Phishing attacks and variations are becoming more common. Microsoft’s WebView is vulnerable to phishing, allowing attackers to bypass MFA by using malicious JavaScript code to act as a keylogger and cookie stealer. Security experts have warned that MFA is no longer a foolproof way to protect against phishing attempts.

Enterprises should discontinue utilizing apps that use Microsoft WebView2 as a preventative step and instead use biometric authentication techniques as an extra security layer. In addition, businesses should consider using current authentication mechanisms, such as risk-based or adaptive authentication, to strengthen their security posture.


Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.


About Rhyno Cybersecurity Services

Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.

Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.

This website uses cookies to improve your online experience. By continuing, we will assume that you are agreeing to our use of cookies. For more information, visit our Cookie Policy.

Privacy Preference Center