Starkiller Phishing-as-a-Service Bypasses MFA with Real-Time Proxy Attacks

Stealthy Phishing Service Leverages Real Login Pages to Evade Detection

A sophisticated new phishing-as-a-service (PhaaS) platform called Starkiller is enabling cybercriminals to bypass multi-factor authentication (MFA) and traditional phishing defenses by proxying real login pages from major brands like Microsoft, Google, and Apple. Unlike static phishing kits, Starkiller dynamically loads live authentication portals, acting as a man-in-the-middle (MITM) reverse proxy to intercept credentials, session tokens, and MFA codes in real time.

Discovered and analyzed by Abnormal AI, Starkiller represents a significant evolution in phishing infrastructure, lowering the technical barrier for attackers while evading detection methods such as domain blocklisting and static page analysis.

Technical Breakdown: How Starkiller Operates

Starkiller’s core functionality relies on deceptive URLs and real-time proxying to trick victims into authenticating with legitimate services while unknowingly transmitting their credentials to attackers. Key technical features include:

• URL Masking: Phishing links appear as legitimate domains (e.g., login.microsoft.com@[malicious-domain]) by exploiting the @ symbol in URLs, which treats the preceding text as username data and routes traffic to the attacker-controlled domain.
• Docker-Based Reverse Proxy: The service spins up headless Chrome browser instances in Docker containers to load the target brand’s real login page. These containers act as MITM proxies, forwarding victim inputs (usernames, passwords, MFA codes) to the legitimate site while logging all data.
• Real-Time Session Hijacking: Starkiller captures session cookies and tokens during authentication, granting attackers persistent access to compromised accounts even after MFA verification.
• Keylogging and Screen Monitoring: The platform records every keystroke and live-streams the victim’s interaction with the phishing page, enabling attackers to observe behavior in real time.
• Automated Telegram Alerts: Operators receive instant notifications when new credentials are harvested, along with campaign analytics (e.g., visit counts, conversion rates).

Abnormal AI researchers Callie Baron and Piotr Wojtyla noted that Starkiller’s ability to relay MFA tokens in real time effectively neutralizes MFA protections, as the victim’s authentication flow is seamlessly mirrored to the legitimate service.

Impact and Threat Landscape

Starkiller is marketed by the cybercriminal group Jinkusu, which operates a user forum for customers to discuss techniques and request features. The service includes additional capabilities such as:

• Contact Harvesting: Extracting email addresses and personal data from compromised sessions to build target lists for follow-up attacks.
• Geo-Tracking: Monitoring the location of victims to tailor phishing campaigns.
• A-La-Carte Features: Customizable options for URL shortening, link configuration, and analytics dashboards.

The platform’s enterprise-like design—complete with performance metrics and customer support—reflects a broader trend toward commodified cybercrime tooling. By eliminating the need for attackers to manage phishing domains or static page templates, Starkiller significantly lowers the barrier to entry for low-skill cybercriminals.

Mitigation and Recommendations

Security teams should prioritize the following defenses to counter Starkiller and similar proxy-based phishing attacks:

• User Training: Educate employees to scrutinize URLs, particularly those containing @ symbols or unusual domain structures. Emphasize that MFA is not foolproof against real-time proxy attacks.
• Advanced Email Filtering: Deploy solutions capable of detecting homograph attacks (e.g., rnicrosoft.com vs. microsoft.com) and malicious link obfuscation.
• Behavioral Analytics: Monitor for anomalous authentication patterns, such as simultaneous logins from disparate locations or unusual session durations.
• FIDO2/WebAuthn: Encourage the adoption of hardware-based MFA (e.g., YubiKeys), which is resistant to phishing and MITM attacks.
• Session Monitoring: Implement tools to detect and terminate suspicious sessions, such as those originating from known malicious IPs or exhibiting unusual activity.
• Threat Intelligence: Subscribe to feeds tracking emerging PhaaS platforms and cybercriminal forums to stay ahead of evolving tactics.

Conclusion

Starkiller exemplifies the growing sophistication of phishing-as-a-service offerings, combining real-time proxying, MFA bypass, and enterprise-grade tooling to create a potent threat. As cybercriminals continue to refine these techniques, organizations must adapt their defenses to address the shifting landscape of credential theft and account takeover attacks.