The Bluekit phishing-as-a-service platform has added browser-in-the-middle (BitM) capabilities, a significant escalation in its ability to steal login credentials. This technique allows attackers to intercept data in real-time by placing themselves between the user and a legitimate website, bypassing traditional multi-factor authentication (MFA).
Over the past week, researchers identified nearly 70 new hostnames associated with Bluekit, indicating aggressive infrastructure expansion. The BitM approach increases the severity of its threat, as it can capture session cookies and authentication tokens that static phishing pages cannot. Active exploitation is likely ongoing, given the kit's commercial availability.
In a BitM attack, the victim connects to a proxy controlled by the attacker, which relays traffic to the actual service. The proxy captures credentials, cookies, and even push notification responses from MFA apps. Indicators of compromise include unusual URL redirects or domains mimicking legitimate login portals but with slight misspellings or different top-level domains.
Mitigation remains challenging; organizations should enforce hardware-based MFA (such as FIDO2 tokens) and train users to verify URLs carefully. Security teams must monitor for anomalies in traffic routing and rapid domain registration patterns. No patches or fixes are available for the kit itself, as it is a third-party criminal tool.
Attribution for Bluekit remains unclear, but its commercial structure suggests a sophisticated cybercrime group. The broader landscape of phishing-as-a-service continues to lower the barrier for attackers, making such adaptive tools a persistent threat to enterprises.