logo

Bluekit PhaaS Uses Browser-in-the-Middle Attacks to Steal Microsoft Logins

ID: 4264bfa8-29b9-5432-8c3a-336fe91cd9c6

STIX ID: report--4264bfa8-29b9-5432-8c3a-336fe91cd9c6

Feed Name: Cyber Press

Threat Score
78/100

Date Published: 2026-06-26

Date Updated: 2026-06-26

Author: Lucas Martin

...
...

**Executive summary:** Bluekit is an actively deployed Phishing‑as‑a‑Service platform leveraging a Browser‑in‑the‑Middle (BitM) attack—using rrweb to stream a live attacker-controlled Microsoft login DOM to victims—to capture credentials and bypass MFA; the report details its two-phase flow (bot/analyst detection then BitM delivery), observable signals (WebSocket DOM streams, rrweb presence, proxy asset endpoints, WebRTC IP mismatch, custom CAPTCHA), and defensive notes including increased latency as a detection cue and recommendation to adopt phishing‑resistant authentication.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.