threat-wire
Bluekit Streams Real Login Pages to Steal Sessions and Bypass MFA at Scale
A phishing-as-a-service platform called Bluekit has upgraded to browser-in-the-middle capabilities that stream the real login page to victims while authentication completes inside the attacker's browser. Standard MFA is bypassed, and the attacker walks away with a live session token.
By SecureBusinessHub Editorial, International cybersecurity desk — · 5 min read
Bluekit, a phishing-as-a-service platform first documented in April 2024, registered approximately 70 new hostnames in a single week in June 2026. The pace reflects a capability upgrade: the kit now supports browser-in-the-middle attacks that bypass multi-factor authentication by design, not by chance.
Why this gets past MFA
Traditional phishing kits show the victim a fake login page and capture the password. That approach hit a wall once MFA became widespread, because the kit would grab a password but stall on the second factor. Bluekit takes a different path. The attacker's server runs a real browser that loads the genuine Microsoft, Google, or bank login page. A JavaScript library called rrweb streams that live page to the victim as a DOM snapshot. The victim sees the actual website, not a copy. Everything they type, including their MFA code or push approval, goes to the attacker's browser, where authentication finishes. The session token stays there.
Because the MFA step completes inside the attacker's browser rather than the victim's, one-time codes and push approvals do not protect the account. The victim may receive a notification confirming they have just logged in successfully. The only visible sign that something is wrong is a session active from a location they have never visited.
What Bluekit targets
The kit ships with more than 40 pre-built templates: Microsoft Outlook, Gmail, iCloud, ProtonMail, Yahoo, LinkedIn, GitHub, Twitter/X, and cryptocurrency wallets including Ledger. It automates domain registration and includes anti-bot cloaking to block security scanners. Netcraft's June 2026 research found AI-generated phishing email copy and voice cloning built into the operator panel, with captured credentials delivered via Telegram.
Check whether your accounts have been hit
- In Microsoft 365 Entra admin centre: go to Users > Sign-in logs and filter for Risky sign-ins. Look for any successful authentication from an IP address or country your staff have never used, particularly within minutes of a user reporting they clicked an unexpected link.
- In Google Workspace Admin: go to Security > Alert centre. Any session that authenticated and then immediately accessed mail or Drive from an unfamiliar IP is worth investigating.
- Check for hidden email forwarding rules. After stealing a session, attackers typically add an auto-forward rule to siphon ongoing mail. In Outlook: Settings > View all Outlook settings > Mail > Rules. In Gmail: Settings > Filters and Blocked Addresses.
- If you find an unrecognised session, revoke it immediately through the identity provider's active sessions panel, force a password reset on the affected account, and remove any forwarding rules added during the compromise.
- Move your highest-risk accounts, specifically finance, HR, IT admins, and executives, to phishing-resistant authentication: passkeys or FIDO2 hardware security keys. Time-based codes and push approvals cannot stop a browser-in-the-middle attack.
Detection signals for security teams
Netcraft identified consistent technical indicators across Bluekit infrastructure: obfuscated JavaScript files exceeding 1 MB that rotate on a schedule, WebSocket connections carrying encrypted binary data rather than JSON, page assets served through proxy endpoints rather than directly from the target domain, and CSS filter values randomised on key page elements. DNS blocking against known Bluekit hostnames helps but lags behind the platform's automated domain rotation, so behavioural signals are more reliable.