Bluekit Phishing Kit Adds Browser-in-the-Middle Capabilities to Bypass MFA
The Bluekit phishing-as-a-service platform has evolved with nearly 70 new hostnames and now uses browser-in-the-middle techniques to intercept login credentials and session tokens in real time.
The Bluekit phishing-as-a-service (PhaaS) platform has undergone a significant evolution, with security researchers identifying nearly 70 new hostnames associated with the operation over the past week. More critically, Bluekit has adopted browser-in-the-middle (BitM) capabilities, enabling attackers to intercept login credentials and session tokens in real time, effectively bypassing multi-factor authentication (MFA) protections.
Browser-in-the-middle attacks represent an advanced evolution of adversary-in-the-middle (AiTM) techniques. Instead of simply relaying authentication traffic, BitM proxies the victim's entire browser session through attacker-controlled infrastructure. This allows the attacker to capture not only credentials and MFA codes but also session cookies and tokens, granting persistent access to the victim's accounts even after the initial login session expires.
Bluekit is sold on underground forums as a PhaaS platform, targeting financial institutions and software-as-a-service (SaaS) platforms. The addition of BitM capabilities makes it particularly dangerous for organizations relying solely on MFA as a security control. The platform's operators have been actively marketing the new feature, emphasizing its ability to defeat even hardware-based MFA tokens.
The rapid expansion of Bluekit's infrastructure, with nearly 70 new hostnames in a single week, suggests a growing customer base and increased operational sophistication. Security researchers have observed the platform being used in campaigns against major banks, cryptocurrency exchanges, and enterprise SaaS providers. The attackers use lookalike domains and convincing login pages to trick victims into entering their credentials.
Defenders are advised to implement phishing-resistant MFA methods, such as FIDO2/WebAuthn, which are not susceptible to BitM attacks. Additionally, organizations should deploy advanced email filtering, conduct regular phishing simulations, and monitor for anomalous login patterns that may indicate session hijacking. The Bluekit evolution underscores the arms race between cybercriminals and security professionals, with PhaaS platforms continuously innovating to bypass the latest defenses.