Desktop-in-the-Browser (DiBt) or VPN-in-the-Browser (VitB) ?
You have probably heard of the Browser-in-the-Browser (BitB) attack, that clever trick where a fake browser window pops up, looking just like a real Microsoft or Google login page. It’s a popular phishing technique used in red team operations for initial access in phishing scenarios.
What if we took it further? What if we didn’t just spoof websites, but made users think they are using real desktop apps, something like day to day applications (Slack, Zoom, Microsoft Teams), password managers (1Password), or even VPN clients (FortiClients) ?
New Target : Desktop Applications
These days, users are starting to get smarter. They are checking URLs. They are watching out for fake redirects. They are noticing whether a site has a valid lock icon or not.
But desktop apps? That is a whole different story.
Most people won’t second guess what looks like their trusted app, especially if it opens full screen, has the right logo, and behaves just like the real one. And here is the kicker: many desktop apps rely only on a username and password and not all of them enforce Multi-Factor Authentication (MFA).
Now imagine this; a fake desktop app inside the browser, same design, same layout, same loading spinner, but everything you type goes directly to the attacker.
Social Engineering : Give me your password!
Red teamers love this kind of trick. And real attackers? Even more. Social engineering works because it targets people, and people are usually the weakest link in security.
If someone thinks they are opening the real 1Password app or logging into FortiClient VPN, they are likely to enter their credentials without a second thought.
Here is what that might look like:
Desktop in the Browser (DitB)
1Password Application - Desktop Illusion
VPN in the Browser (VitB)
Global Protect VPN - Spoofed Window
FortiClient VPN - Looks Legit
These are just a few examples of what is possible using the Desktop-in-the-Browser (DitB) (or VPN-in-the-Browser (VitB)) technique and like any good hacker trick, your imagination is the only limit.
Disclaimer: This article is for educational purposes only. It is meant to raise awareness and help organizations simulate phishing as part of security training, not to encourage malicious behavior.
Now we know.. then what ?
I hope this helps more people stay alert, open their eyes and recognize strange or suspicious behavior when using desktop apps.
- DiBt or VitB is an evolution of phishing, not just using websites, but desktop apps inside a browser.
- Users are becoming smarter with browser security, but often trust desktop interfaces blindly.
- Many desktop apps still lack proper MFA enforcement, making them easier targets.
- Always double check where you enter your username and password, especially when something feels just slightly off.
Stay curious. Stay safe. Stay one step ahead.
Oussama Rahali
Let’s connect 👋