A sophisticated Phishing-as-a-Service (PhaaS) platform named Bluekit has emerged as a significant threat, with cybersecurity firm Netcraft identifying approximately 70 active hostnames associated with it in a single week. Initially documented by Varonis Threat Labs during its development phase, Bluekit has now evolved into a fully operational tool capable of bypassing multi-factor authentication (MFA) and harvesting Microsoft login credentials in real time.
Unlike traditional adversary-in-the-middle (AitM) tools such as Evilginx, which intercept web traffic between the victim and legitimate sites, Bluekit employs a Browser-in-the-Middle (BitM) technique. This method involves loading the genuine Microsoft login page within an attacker-controlled browser and streaming the content directly to the victim’s screen using rrweb, an open-source JavaScript library designed for session replay and product analytics. Consequently, victims interact with the actual login page rendered in the attacker’s browser, leading to authentication within the attacker’s active session rather than their own. This approach effectively neutralizes Device Bound Session Credentials (DBSC), a protection that offers some resistance to traditional AitM attacks.
Bluekit Attack Architecture
Bluekit operates through two distinct phases before capturing credentials:
Phase 1 — Victim Qualification: Before presenting any phishing content, Bluekit subjects each visitor to multiple anti-analysis checks, including:
- Randomized CSS filter manipulation to defeat pixel-hash screenshot detection.
- A custom CAPTCHA impersonating brands like Cloudflare.
- Obfuscated JavaScript bundles exceeding 1MB, rotated periodically.
- Browser fingerprinting (assessing RAM, CPU count, screen resolution, headless browser indicators).
- WebRTC-based IP mismatch detection to identify security analysts and automated scanners.
Phase 2 — BitM Delivery: Visitors who pass the qualification checks are served a live Document Object Model (DOM) stream from the attacker’s browser over a WebSocket connection, rendering a pixel-perfect, fully interactive Microsoft login page. The victim’s keystrokes and mouse movements are relayed back to the attacker’s browser, executing them against the real Microsoft site and completing authentication on the attacker’s machine.
Bluekit’s administration panel offers operators a live view of victim sessions, powered by the same rrweb infrastructure used for delivery. Demonstrations shared on Telegram reveal real-time visibility into victim login flows as they occur, including post-authentication activity.
A notable structural advantage over tools like Evilginx is session consistency. In reverse-proxy AitM attacks, the stolen session is later imported into a different browser environment, creating a fingerprint mismatch that detection systems can flag. With Bluekit, the session is created and used within the same browser throughout, eliminating that detection signal entirely.
Traditional MFA methods, including SMS codes, authenticator apps, and push approvals, offer no protection against Bluekit’s architecture. Since the victim completes the authentication process within the attacker’s session, all credentials and tokens are compromised.
As Bluekit exemplifies, attackers are continually developing more sophisticated methods to bypass MFA protections. Organizations must adopt a multi-layered security approach, incorporating advanced threat detection systems, continuous monitoring, and user education to mitigate the risks posed by such advanced phishing platforms.
