Bluekit Phishing-as-a-Service Platform Bypasses MFA with Browser-in-the-Middle Technique
Cybersecurity firm Netcraft has identified a fully operational Phishing-as-a-Service (PhaaS) platform called Bluekit, which has rapidly scaled its operations, with approximately 70 live hostnames detected in a single week. Originally documented by Varonis Threat Labs as an emerging tool, Bluekit has evolved into a sophisticated threat capable of bypassing multi-factor authentication (MFA) and harvesting Microsoft login credentials in real time.
Unlike traditional adversary-in-the-middle (AitM) tools like Evilginx, which intercept traffic between victims and legitimate sites, Bluekit employs a Browser-in-the-Middle (BitM) technique. The platform loads the real Microsoft login page inside an attacker-controlled browser and streams it to victims using rrweb, an open-source JavaScript library for session replay. Victims interact with the authentic login page, but their actions execute in the attacker’s browser, granting threat actors a fully authenticated session.
Attack Architecture & Evasion Tactics
Bluekit operates in two phases before capturing credentials:
-
Victim Qualification – Before displaying phishing content, the platform conducts layered anti-analysis checks, including:
- Randomized CSS filters to defeat pixel-hash detection.
- Custom CAPTCHAs impersonating brands like Cloudflare.
- Obfuscated JavaScript bundles (exceeding 1MB) that rotate periodically.
- Browser fingerprinting (RAM, CPU, screen resolution, headless browser detection).
- WebRTC-based IP mismatch detection to identify security analysts.
-
BitM Delivery – Qualified victims receive a live DOM stream of the Microsoft login page via WebSocket, rendering a pixel-perfect, interactive interface. Keystrokes and mouse movements are relayed to the attacker’s browser, which executes them against the real Microsoft site. The attacker’s administration panel provides real-time visibility into victim sessions, including post-authentication activity.
Why Bluekit Evades Detection
A key advantage over tools like Evilginx is session consistency the stolen session is created and used in the same browser, eliminating fingerprint mismatches that detection systems might flag. Traditional MFA (SMS, authenticator apps, push approvals) offers no protection, as victims complete the entire login flow including MFA verification inside the attacker’s browser.
Detection & Defense Considerations
Security teams should monitor for:
- WebSocket connections transmitting encrypted/binary data on login pages.
- Proxy API endpoints handling asset fetching instead of direct requests.
- rrweb library presence outside known analytics contexts.
- Custom CAPTCHAs with randomized HTML structures.
- Large, obfuscated JavaScript bundles (over 1MB) with periodic rotation.
- WebRTC IP mismatch detection on landing pages.
Bluekit’s abuse of rrweb, a legitimate open-source tool, follows a growing trend of threat actors exploiting trusted developer infrastructure to bypass security controls. While rrweb’s presence alone is not an indicator of compromise, its use in this context underscores the need for session-level protections and behavioral detection in phishing defense strategies.
Source: https://cybersecuritynews.com/bluekit-paas-bypasses-mfa/
Microsoft TPRM report: https://www.rankiteo.com/company/microsoft-security
"id": "mic1782483842",
"linkid": "microsoft-security",
"type": "Cyber Attack",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Unknown (potentially '
'widespread)',
'industry': 'Software/Cloud Services',
'name': 'Microsoft',
'size': 'Large',
'type': 'Technology'},
{'industry': 'Various',
'name': 'Victims of Bluekit phishing campaigns',
'type': 'Individuals/Organizations'}],
'attack_vector': 'Browser-in-the-Middle (BitM) technique, phishing',
'data_breach': {'data_exfiltration': 'Real-time credential harvesting',
'personally_identifiable_information': 'Potentially (if '
'compromised accounts '
'contain PII)',
'sensitivity_of_data': 'High (Microsoft accounts, '
'MFA-protected)',
'type_of_data_compromised': 'Login credentials, session '
'tokens'},
'description': 'Cybersecurity firm Netcraft identified a fully operational '
'Phishing-as-a-Service (PhaaS) platform called Bluekit, which '
'has rapidly scaled its operations with approximately 70 live '
'hostnames detected in a single week. Bluekit employs a '
'Browser-in-the-Middle (BitM) technique to bypass multi-factor '
'authentication (MFA) and harvest Microsoft login credentials '
'in real time by streaming the real Microsoft login page '
'inside an attacker-controlled browser.',
'impact': {'data_compromised': 'Microsoft login credentials, potentially '
'post-authentication session data',
'identity_theft_risk': 'High (credentials and session hijacking)',
'systems_affected': 'Microsoft login systems, victim browsers'},
'initial_access_broker': {'entry_point': 'Phishing campaigns (Bluekit '
'platform)'},
'lessons_learned': 'Traditional MFA is ineffective against '
'Browser-in-the-Middle attacks. Security teams should '
'monitor for WebSocket connections, proxy API endpoints, '
'and the presence of rrweb outside analytics contexts. '
'Behavioral detection and session-level protections are '
'critical for phishing defense.',
'post_incident_analysis': {'corrective_actions': 'Enhanced monitoring for '
'WebSocket connections, '
'proxy APIs, and rrweb '
'usage; behavioral detection '
'for phishing; session-level '
'protections.',
'root_causes': 'Exploitation of legitimate '
'JavaScript library (rrweb) for '
'session replay, layered '
'anti-analysis checks, and '
'Browser-in-the-Middle technique to '
'bypass MFA.'},
'recommendations': ['Monitor for WebSocket connections transmitting '
'encrypted/binary data on login pages.',
'Detect proxy API endpoints handling asset fetching '
'instead of direct requests.',
'Identify rrweb library presence outside known analytics '
'contexts.',
'Watch for custom CAPTCHAs with randomized HTML '
'structures.',
'Analyze large, obfuscated JavaScript bundles (over 1MB) '
'with periodic rotation.',
'Check for WebRTC IP mismatch detection on landing pages.',
'Implement session-level protections and behavioral '
'detection for phishing defense.'],
'references': [{'source': 'Netcraft'}, {'source': 'Varonis Threat Labs'}],
'response': {'enhanced_monitoring': 'Recommended: WebSocket connections, '
'proxy API endpoints, rrweb library '
'presence, custom CAPTCHAs, obfuscated '
'JavaScript, WebRTC IP mismatch detection',
'third_party_assistance': 'Netcraft (cybersecurity firm)'},
'threat_actor': 'Bluekit operators (Phishing-as-a-Service platform)',
'title': 'Bluekit Phishing-as-a-Service Platform Bypasses MFA with '
'Browser-in-the-Middle Technique',
'type': 'Phishing-as-a-Service (PhaaS)',
'vulnerability_exploited': 'MFA bypass via session replay, exploitation of '
'legitimate JavaScript library (rrweb)'}