A newly operational Phishing-as-a-Service (PhaaS) platform named Bluekit has been identified, with cybersecurity experts at Netcraft uncovering around 70 active domains in just one week.
What is Bluekit?
Initially noted by Varonis Threat Labs as a developing threat, Bluekit has advanced into a full-fledged system capable of bypassing multi-factor authentication (MFA) to capture Microsoft login details in real time. Unlike traditional adversary-in-the-middle (AitM) tactics like Evilginx, which intercept traffic between the victim and the genuine site, Bluekit uses a Browser-in-the-Middle (BitM) approach.
The process involves loading a legitimate Microsoft login page within an attacker-controlled browser, streaming the page to the victim using rrweb, an open-source JavaScript tool originally intended for session replay and analytics.
The Mechanics of Bluekit’s Attack
Through its sophisticated method, victims interact with the actual Microsoft login page displayed in the attacker’s environment. Once the victim completes the authentication process, they log into the attacker’s active session rather than their own, thus bypassing Device Bound Session Credentials (DBSC), which usually provide some resistance to classic AitM attacks.
Bluekit operates through two main stages before capturing credentials. In the first phase, it conducts thorough anti-analysis checks on visitors, including browser fingerprinting and CAPTCHA techniques mimicking legitimate brands like Cloudflare. Those who pass these checks engage with a real-time interactive login page streamed from the attacker’s browser.
Implications for Cybersecurity
With Bluekit, the stolen session is created and utilized within the same browser, avoiding detection mismatches typical in reverse-proxy AitM attacks. Traditional MFA methods such as SMS codes and authenticator apps offer no defense, as the victim completes the whole login sequence within the attacker-controlled environment.
Security experts should be vigilant for specific indicators such as WebSocket connections relaying encrypted data on login pages, the presence of rrweb outside usual contexts, and custom CAPTCHAs with varied HTML structures.
Future Outlook
Bluekit’s use of rrweb marks another instance of threat actors leveraging trusted infrastructure to evade detection systems. Its presence alone does not signify a compromise; instead, organizations must consider surrounding contexts and signals. As Bluekit demonstrates, relying solely on MFA for credential protection is inadequate, highlighting the need for comprehensive session-level security measures and behavioral detection to counteract phishing threats effectively.
