How a New PhaaS Platform Neutralizes Traditional MFA

Learn how the emerging Bluekit Phishing-as-a-Service (PhaaS) platform leverages Browser-in-the-Middle techniques and AI to systematically bypass MFA.
Image Credit / Cyber Security News

The Bluekit PhaaS platform uses Browser-in-the-Middle tactics and AI to steal session tokens, bypassing traditional multi-factor authentication.

Multi-factor authentication (MFA) has long been championed as the ultimate firewall against unauthorized account access. However, cybercriminals are proving that if they cannot break the door down, they will simply steal the key after it unlocks. A rapidly growing Phishing-as-a-Service (PhaaS) platform known as Bluekit is turning sophisticated session hijacking into a standardized, point-and-click operation, successfully neutralizing standard MFA protections.

First uncovered by researchers at Varonis Threat Labs, Bluekit initially appeared to be a framework still deep in its development cycle. Fast forward to mid-2026, and threat intelligence updates from Netcraft reveal that the platform is live, fully operational, and scaling quickly. Within a single recent observation window, analysts tracked nearly 70 active hostnames tied to the infrastructure, signaling widespread criminal adoption.

The Mechanics: Moving Beyond Static Phishing

Traditional phishing operations rely on clone sites that statically capture a victim’s username and password. If the targeted account requires a one-time passcode (OTP) or push notification, the attacker is left stranded.

Bluekit entirely changes the playbook by adopting an advanced Browser-in-the-Middle (BitM) architecture. Rather than proxying raw network traffic, the strategy leveraged by older toolkits like Evilginx and Bluekit relies on an open-source library called rrweb to serialize and stream live Document Object Model (DOM) interactions.

When a victim clicks a Bluekit lure, they are not seeing a static replica. They are interacting with a live, functional version of the targeted provider (such as Microsoft 365, Google, or GitHub) hosted inside a browser controlled entirely by the attacker. As the user navigates the real login flow and clears their MFA prompt, Bluekit silently intercepts the resulting session cookies, local storage tokens, and authentication artifacts.

Armed with these stolen session tokens, a threat actor can perform a cookie replay attack. They insert the token into their own browser to inherit the fully authenticated state. To the cloud provider’s server, the attacker looks exactly like the legitimate user continuing an ongoing session, rendering text-based OTPs, email codes, and basic authenticator apps completely useless.

See Also:https://www.techregard.com/openai-launches-gated-gpt-5-6-preview-over-cyber-vulnerability-concerns/

AI Copilots and Evasion Tactics

Beyond its session hijacking mechanics, Bluekit stands out for its deep commoditization. The platform lowers the technical barrier for entry by consolidating domain registration, visual page configuration, and data exfiltration (routed seamlessly through Telegram) into a single, unified panel.

According to the analysis, the kit even integrates an absolute novelty: a built-in AI Assistant panel. This assistant supports a suite of models, including “abliterated” versions of Llama (models with safety filters removed), alongside variants of GPT-4 and Claude. While researchers note that the assistant’s output remains somewhat basic, frequently relying on structured campaign templates and placeholders, its inclusion highlights a deliberate trend toward automated, multi-lingual social engineering generation.

To keep defenders off its trail, Bluekit utilizes a heavy anti-analysis posture. It deploys WebRTC-based IP mismatch detection, custom randomized CAPTCHA s that masquerade as corporate security services, and dynamic JavaScript obfuscation designed to blind automated security scanners before a human user even reaches the landing zone.

Hardening the Defensive Perimeter

As commercialized frameworks like Bluekit scale, standard defensive playbooks must adapt. Since BitM attacks intercept credentials post-authentication, organizations can no longer rely on employee vigilance or standard password-plus-SMS protocols.

Defenders must migrate toward phishing-resistant MFA, such as FIDO2 hardware security keys or cryptographic passkeys. Because these protocols cryptographically bind the authentication process directly to the verified domain name, a proxy or browser-in-the-middle cannot relay the authentication exchange. Additionally, security administrators should significantly restrict session persistence limits and deploy conditional access policies that immediately flag anomalous session behavior or sudden location shifts.

About the Author

Jennifer Sakmufuwo Baba

Jennifer Sakmufuwo Baba is a tech analyst and writer covering artificial intelligence, fintech, and emerging technologies at TechRegard. Based in Nigeria, she's passionate about translating complex tech developments into compelling, accessible stories for diverse audiences. Her work focuses on how technology shapes innovation across Africa and globally.