This was an address bar spoofing technique that worked by intercepting the page’s own unload event, stopping the navigation, and immediately reloading with modified content. The result was a page whose URL in the address bar showed one origin while the visible content had been replaced with attacker-controlled HTML.

window.onunload = function() {
    document.execCommand("Stop");
    location.reload();
};
// Then replace page content
document.body.innerHTML = "<h1>You are on bank.com. Please log in.</h1>";

The browser’s URL bar continued to show the original URL after the stop-and-reload cycle, while the page content was fully attacker-controlled. This is the kind of issue that phishing campaigns could exploit to make a spoofed login page appear to be on a trusted domain.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.