A sophisticated Phishing-as-a-Service (PhaaS) platform called Bluekit has been confirmed operational at scale, with cybersecurity firm Netcraft detecting approximately 70 live hostnames in a single week.

First documented by Varonis Threat Labs as an emerging tool still in development, Bluekit has since matured into a fully operational threat capable of bypassing multi-factor authentication (MFA) and harvesting Microsoft login credentials in real time.

Unlike conventional adversary-in-the-middle (AitM) tools such as Evilginx, which intercept web traffic passing between the victim and the legitimate site, Bluekit employs a Browser-in-the-Middle (BitM) technique.

The platform loads the legitimate Microsoft login page inside an attacker-controlled browser and streams what the victim sees directly to their screen using rrweb, an open-source JavaScript library originally designed for session replay and product analytics.

The result is technically significant: victims are not interacting with a cloned or proxied version of a login page. They are interacting with the actual login page, rendered in the attacker’s browser.

When they complete authentication, they have logged into the attacker’s active session not their own. This architecture also neutralizes Device Bound Session Credentials (DBSC), a protection that offers some resistance to traditional AITM attacks.

Bluekit Attack Architecture

Bluekit operates in two distinct phases before credentials are ever captured.

Phase 1 — Victim Qualification: Before showing any phishing content, Bluekit subjects every visitor to layered anti-analysis checks, including randomized CSS filter manipulation to defeat pixel-hash screenshot detection, a custom CAPTCHA that impersonates brands like Cloudflare, obfuscated JavaScript bundles exceeding 1MB that are periodically rotated, browser fingerprinting (RAM, CPU count, screen resolution, headless browser indicators), and WebRTC-based IP mismatch detection to identify security analysts and automated scanners.

Phase 2 — BitM Delivery: Visitors who pass qualification checks are served a live DOM stream from the attacker’s browser over a WebSocket connection, rendering a pixel-perfect, fully interactive Microsoft login page. The victim’s keystrokes and mouse movements are relayed back to the attacker’s browser, which executes them against the real Microsoft site, completing authentication on the attacker’s machine.

Bluekit’s administration panel provides operators with a live view of victim sessions, powered by the same rrweb infrastructure used for delivery, Netcraft told Cybersecurity News.

Threat actor demonstrations shared on Telegram show real-time visibility into victim login flows as they occur, including post-authentication activity.

A key structural advantage over tools like Evilginx is session consistency. In reverse-proxy AitM attacks, the stolen session is later imported into a different browser environment, creating a fingerprint mismatch that detection systems can flag. With Bluekit, the session is created and used in the same browser throughout, eliminating that detection signal entirely.

Traditional MFA, including SMS codes, authenticator apps, and push approvals, provides no protection against Bluekit’s architecture. Since the victim completes the entire login flow, including MFA verification, inside the attacker’s browser, the attacker inherits a fully authenticated session from the start.

This is a critical structural advantage over tools like Evilginx, where Evilginx steals and later replays a session cookie in a different browser (creating a detectable fingerprint mismatch), Bluekit’s session is both created and used in the same browser environment, eliminating that detection signal.

Security teams should monitor for the following signals in web environments:

• WebSocket connections transmitting encrypted or binary data on login pages (rrweb DOM stream)
• Proxy API endpoints handling asset fetching instead of direct requests to the legitimate site
• rrweb library presence outside known analytics contexts
• Custom CAPTCHAs not served by Google or Cloudflare with randomized HTML structures
• JavaScript bundles exceeding 1MB with obfuscation and periodic rotation
• WebRTC IP mismatch detection behavior on landing pages

Security analysts running automated phishing kit evaluations should also ensure their browser environments route both TCP and UDP through proxies to avoid inadvertent IP exposure via WebRTC’s STUN server queries.

Bluekit’s weaponization of rrweb, a legitimate, widely-used open-source project, follows an established threat actor pattern of abusing trusted developer infrastructure to gain legitimacy and bypass reputation-based controls.

The presence of rrweb alone is not an indicator of compromise; context and surrounding signals are required for accurate attribution. Organizations relying solely on MFA as a credential-theft countermeasure should treat Bluekit as evidence that session-level protections and behavioral detection are now essential components of a complete phishing defense strategy.

What Features Should AI SOC Have? – Download Free 2026 AI SOC Features Checklist