New Bluekit Phishing-as-a-Service Bypasses MFA to Steal Microsoft Login Credentials

HomeCyber Security New Bluekit Phishing-as-a-Service Bypasses MFA to Steal Microsoft Login Credentials By Guru Baran June 26, 2026 A sophisticated Phishing-as-a-Service (PhaaS) platform called Bluekit has been confirmed operational at scale, with cybersecurity firm Netcraft detecting approximately 70 live hostnames in a single week. First documented by Varonis Threat Labs as an emerging tool still in development, Bluekit has since matured into a fully operational threat capable of bypassing multi-factor authentication (MFA) and harvesting Microsoft login credentials in real time. Unlike conventional adversary-in-the-middle (AitM) tools such as Evilginx, which intercept web traffic passing between the victim and the legitimate site, Bluekit employs a Browser-in-the-Middle (BitM) technique. The platform loads the legitimate Microsoft login page inside an attacker-controlled browser and streams what the victim sees directly to their screen using rrweb, an open-source JavaScript library originally designed for session replay and product analytics. The result is technically significant: victims are not interacting with a cloned or proxied version of a login page. They are interacting with the actual login page, rendered in the attacker’s browser. When they complete authentication, they have logged into the attacker’s active session not their own. This architecture also neutralizes Device Bound Session Credentials (DBSC), a protection that offers some resistance to traditional AITM attacks. Bluekit Attack Architecture Bluekit operates in two distinct phases before credentials are ever captured. Phase 1 — Victim Qualification: Before showing any phishing content, Bluekit subjects every visitor to layered anti-analysis checks, including randomized CSS filter manipulation to defeat pixel-hash screenshot detection, a custom CAPTCHA that impersonates brands like Cloudflare, obfuscated JavaScript bundles exceeding 1MB that are periodically rotated, browser fingerprinting (RAM, CPU count, screen resolution, headless browser indicators), and WebRTC-based IP mismatch detection to identify security analysts and automated scanners. Attack Architecture Phase 2 — BitM Delivery: Visitors who pass qualification checks are served a live DOM stream from the attacker’s browser over a WebSocket connection, rendering a pixel-perfect, fully interactive Microsoft login page. The victim’s keystrokes and mouse movements are relayed back to the attacker’s browser, which executes them against the real Microsoft site, completing authentication on the attacker’s machine. Bluekit’s administration panel provides operators with a live view of victim sessions, powered by the same rrweb infrastructure used for delivery, Netcraft told Cybersecurity News. Threat actor demonstrations shared on Telegram show real-time visibility into victim login flows as they occur, including post-authentication activity. A key structural advantage over tools like Evilginx is session consistency. In reverse-proxy AitM attacks, the stolen session is later imported into a different browser environment, creating a fingerprint mismatch that detection systems can flag. With Bluekit, the session is created and used in the same browser throughout, eliminating that detection signal entirely. Traditional MFA, including SMS codes, authenticator apps, and push approvals, provides no protection against Bluekit’s architecture. Since the victim completes the entire login flow, including MFA verification, inside the attacker’s browser, the attacker inherits a fully authenticated session from the start. This is a critical structural advantage over tools like Evilginx, where Evilginx steals and later replays a session cookie in a different browser (creating a detectable fingerprint mismatch), Bluekit’s session is both created and used in the same browser environment, eliminating that detection signal. Security teams should monitor for the following signals in web environments: WebSocket connections transmitting encrypted or binary data on login pages (rrweb DOM stream) Proxy API endpoints handling asset fetching instead of direct requests to the legitimate site rrweb library presence outside known analytics contexts Custom CAPTCHAs not served by Google or Cloudflare with randomized HTML structures JavaScript bundles exceeding 1MB with obfuscation and periodic rotation WebRTC IP mismatch detection behavior on landing pages Security analysts running automated phishing kit evaluations should also ensure their browser environments route both TCP and UDP through proxies to avoid inadvertent IP exposure via WebRTC’s STUN server queries. Bluekit’s weaponization of rrweb, a legitimate, widely-used open-source project, follows an established threat actor pattern of abusing trusted developer infrastructure to gain legitimacy and bypass reputation-based controls. The presence of rrweb alone is not an indicator of compromise; context and surrounding signals are required for accurate attribution. Organizations relying solely on MFA as a credential-theft countermeasure should treat Bluekit as evidence that session-level protections and behavioral detection are now essential components of a complete phishing defense strategy. What Features Should AI SOC Have? – Download Free 2026 AI SOC Features Checklist Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News FBI Warns Cybercriminals Use Traffic Distribution Systems to Redirect Users to Fraudulent Websites OpenClaw Skill Marketplace Exposes AI Agents to Supply Chain Malware and Financial Fraud Rust macOS Backdoor Uses Interactive Shell and Telegram File Uploads for Data Theft Windows Secure Boot Certificate Expired — Billions of PCs Affected Including Linux Distros Bajaj Auto Hit by a Ransomware Attack – Internal Systems Affected Latest News Cyber Security News New GIFTEDCROOK Chain Abuses WinRAR ADS and Reflective Loading to Steal Browser Data Cyber Security News Hackers Leveraged Shopify Oder-Tracking App Shop to Push Fake Invoices Cyber Security News Nikkei Warns of Japan’s Ground Self-Defense Force Used USB Drives Infected with a China-linked Malware Cyber Security Critical python.org Vulnerability Allowed Attackers to Forge Admin-Level API Requests Cyber Security News KuinaExtractor Uses Telegram Exfiltration, UAC Bypass, and Sandbox Detection for Stealth