Your MFA won't save you from BlueKit

BlueKit is Phishing-as-a-Service that streams real M365 login pages from attacker browsers. MFA won't stop it. Only FIDO2 hardware keys can.

Imagine this. One of your team members gets an email that looks exactly like a Microsoft 365 login prompt. They type their password. Their phone buzzes with an MFA code. They enter it. The page loads. Everything looks normal.

Except it is not normal. Every keystroke they just typed executed inside an attacker-controlled browser somewhere else. Their password, their MFA code, their fully authenticated session, all of it streamed in real time to someone who now owns their account. They never had a chance.

That is BlueKit. And it is operational right now.

What is BlueKit and why is it different?

BlueKit is a Phishing-as-a-Service platform that went fully operational this week, and Netcraft detected roughly 70 active hostnames in a single week. That is not a pilot. That is scale. It is being sold as a subscription service to criminals, which means no technical skill required. Anyone with a credit card can use it.

What makes BlueKit different from the phishing kits you already know about is the technique. Traditional adversary-in-the-middle tools like Evilginx use a reverse proxy that relays tokens between the victim and the real site. BlueKit uses something called Browser-in-the-Middle (BitM). It streams the actual, legitimate Microsoft login page from a browser the attacker controls. The victim interacts with a completely real page. The attacker sees everything in real time. MFA codes, password resets, session cookies, all of it.

It uses an open-source library called rrweb to record and replay the entire browser session. Think screen recording for phishing.

Microsoft 365 login page rendered inside BlueKit's attacker-controlled browser

A real Microsoft 365 login page rendered inside BlueKit's attacker-controlled browser. To the victim, every pixel looks identical to the legitimate Microsoft login.

This is not a new vulnerability. There is no patch Microsoft can release. The vulnerability is the architecture of MFA itself when it relies on anything a human can type or copy.

What this means for your business

If you use Microsoft 365 (and almost every SMB does), your staff's MFA is architecturally vulnerable to this attack. SMS codes, authenticator app codes, even push notifications, none of them stop BlueKit. The moment a user types or approves something on a page the attacker controls, the session is compromised.

This also means standard phishing training, while still important for other threats, will not stop this. BlueKit's pages look completely legitimate because they are legitimate. They are real Microsoft login pages being streamed in real time. You cannot train someone to spot a fake page when the page is not fake.

BlueKit also deploys a layered evasion system to avoid detection. It runs a custom CAPTCHA that impersonates legitimate services like Cloudflare, rotates JavaScript on every page load, and even uses WebRTC to detect security researchers who try to analyze it through proxies or VPNs.

BlueKit custom CAPTCHA impersonating Cloudflare

BlueKit's custom CAPTCHA impersonating Cloudflare. The HTML structure changes on every page load to evade hash-based detection.

What actually protects you

The only reliable defense against Browser-in-the-Middle attacks is hardware-bound passkeys (FIDO2). Here is why: FIDO2 uses public-key cryptography tied to a physical device. The key never leaves the hardware. When your staff member authenticates, the browser performs a cryptographic challenge that the attacker cannot intercept, relay, or replay. There is nothing to type, nothing to copy, nothing to stream.

  • FIDO2 security keys (like YubiKeys) are the gold standard. They block BitM attacks entirely.
  • Windows Hello and Apple Face ID (platform authenticators) are better than SMS but still vulnerable in browser-in-the-middle scenarios if not properly configured.
  • SMS codes, authenticator app codes, and push notifications — all vulnerable to this attack class.

If deploying hardware keys to your entire team sounds expensive, start with the accounts that would cause the most damage: finance, admin, IT, and anyone with privileged access to customer data. Even protecting those 3-5 accounts changes your risk profile dramatically.


Not sure which of your accounts are most exposed to this type of attack?


Book a 15-minute MFA audit
We will map your current authentication setup, identify accounts most exposed to BitM phishing, and tell you exactly what to prioritize. No pitch, just a plan.