CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Starkiller Phishing Kit Bypasses MFA via Proxy-Based Attacks

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

A new phishing kit called Starkiller has emerged, allowing attackers to bypass multi-factor authentication (MFA) by proxying legitimate login pages. The kit is distributed as a subscription-based service on the dark web, offering real-time session monitoring and keylogging capabilities. It mimics login pages of major services like Google, Microsoft, and banks, routing traffic through attacker-controlled infrastructure to steal credentials and authentication tokens. Starkiller uses Docker containers running headless Chrome instances to serve genuine page content, making it difficult for security vendors to detect or block. The toolkit is sold with updates and customer support, posing a significant escalation in phishing infrastructure. The service is part of a broader cybercrime offering by a threat group called Jinkusu, which provides additional features such as email harvesting and campaign analytics. Starkiller integrates URL shorteners such as TinyURL to obscure the destination URL. It uses a headless Chrome instance inside a Docker container to act as a reverse proxy between the target and the legitimate site. The platform centralizes infrastructure management, phishing page deployment, and session monitoring within a single control panel, combining URL masking, session hijacking, and MFA bypass to streamline phishing operations.

Timeline

  1. 19.02.2026 14:00 3 articles · 12d ago

    Starkiller Phishing Kit Bypasses MFA via Proxy-Based Attacks

    A new phishing kit called Starkiller has emerged, allowing attackers to bypass multi-factor authentication (MFA) by proxying legitimate login pages. The kit is distributed as a subscription-based service on the dark web, offering real-time session monitoring and keylogging capabilities. It mimics login pages of major services like Google, Microsoft, and banks, routing traffic through attacker-controlled infrastructure to steal credentials and authentication tokens. Starkiller uses Docker containers running headless Chrome instances to serve genuine page content, making it difficult for security vendors to detect or block. The toolkit is sold with updates and customer support, posing a significant escalation in phishing infrastructure. The service is part of a broader cybercrime offering by a threat group called Jinkusu, which provides additional features such as email harvesting and campaign analytics. Starkiller integrates URL shorteners such as TinyURL to obscure the destination URL. It uses a headless Chrome instance inside a Docker container to act as a reverse proxy between the target and the legitimate site. The platform centralizes infrastructure management, phishing page deployment, and session monitoring within a single control panel, combining URL masking, session hijacking, and MFA bypass to streamline phishing operations.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Multi-Stage AitM Phishing and BEC Campaigns Target Energy Sector

Microsoft has identified a multi-stage adversary-in-the-middle (AitM) phishing and business email compromise (BEC) campaign targeting organizations in the energy sector. The attackers abused SharePoint file-sharing services to deliver phishing payloads and created inbox rules to maintain persistence and evade detection. The campaign involved leveraging compromised internal identities to conduct large-scale phishing attacks within and outside the victim organizations. Additionally, the AgreeTo Outlook add-in was hijacked and turned into a phishing kit, stealing over 4,000 Microsoft account credentials. The threat actor deployed a fake Microsoft sign-in page, password collection page, exfiltration script, and redirect, exploiting the add-in's ReadWriteItem permissions. This is the first known instance of malware found on the official Microsoft Marketplace. The add-in was abandoned by its developer and the attacker exploited the abandoned domain to serve the phishing kit. The incident highlights the need for better monitoring of add-ins and their associated URLs.

Open in new tab

Vishing Attacks Target Okta SSO Accounts for Data Theft

Threat actors are using vishing attacks to steal Okta SSO credentials, bypassing MFA and gaining access to enterprise cloud services. The attacks involve real-time manipulation of phishing pages and social engineering to trick employees into revealing their credentials and MFA codes. Once access is gained, attackers exfiltrate data from integrated platforms like Salesforce and demand extortion payments. The phishing kits used in these attacks are sold as a service and are actively employed by multiple hacking groups targeting identity providers and cryptocurrency platforms. Okta recommends using phishing-resistant MFA methods to mitigate these threats. Attackers use Telegram channels to receive stolen credentials and adapt their campaign based on the MFA or authentication solution the target is using. Phishing kits allow attackers to generate fake MFA notifications to bypass MFA protections.

Open in new tab

Phishing Attacks Exploit Human Psychology and AI Advancements

Phishing attacks are increasingly sophisticated, exploiting human psychology and leveraging AI advancements to bypass traditional defenses. Even seasoned cybersecurity professionals can fall victim to phishing due to timing, context, and emotional factors. The phishing ecosystem has evolved into a mature service economy, with phishing-as-a-service (PhaaS) platforms and AI-powered tools like PhishGPT making attacks more convincing and scalable. The psychological aspects of phishing, such as urgency, context switching, and emotional timing, are key to their success. Attackers use these tactics to manipulate victims into revealing sensitive information. The technological infrastructure supporting phishing is vast, including rotating domains, bulletproof hosting, and proxy networks, making it difficult to block these campaigns. The barrier to entry for phishing has significantly lowered, with phishing kits sold as turnkey products, complete with hosting, tutorials, and customer support. This makes advanced attacks accessible to low-skill operators worldwide.

Open in new tab

OAuth Device Code Phishing Campaigns Target Microsoft 365 Accounts

A surge in phishing campaigns exploiting Microsoft’s OAuth device code authorization flow has been observed, targeting Microsoft 365 accounts. Both state-aligned and financially motivated actors are using social engineering to trick users into approving malicious applications, leading to account takeover and data theft. The attacks leverage the OAuth 2.0 device authorization grant, a legitimate process designed for devices with limited input capabilities. Once victims enter a device code generated by an attacker-controlled application, the threat actor receives a valid access token, granting control over the compromised account. The campaigns use QR codes, embedded buttons, and hyperlinked text to initiate the attack chain, often claiming to involve document sharing, token reauthorization, or security verification. The growth of these campaigns is linked to readily available phishing tools like SquarePhish2 and Graphish, which simplify device code abuse and require limited technical skill. Proofpoint observed financially motivated actor TA2723 and Russia-linked group UNK_AcademicFlare adopting this technique, targeting various sectors in the US and Europe. Microsoft recently warned of phishing campaigns using OAuth URL redirection mechanisms to bypass conventional phishing defenses. These campaigns target government and public-sector organizations, redirecting victims to attacker-controlled infrastructure without stealing their tokens. Attackers abuse OAuth's standard behavior by crafting URLs with manipulated parameters or associated malicious applications to redirect users to malicious destinations. The attack starts with a malicious application created by the threat actor, configured with a redirect URL pointing to a rogue domain hosting malware. The malicious payloads are distributed as ZIP archives, leading to PowerShell execution, DLL side-loading, and pre-ransom or hands-on-keyboard activity. The activity, ongoing since September 2025, is being tracked by Proofpoint under the moniker UNK_AcademicFlare. The attacks involve using compromised email addresses belonging to government and military organizations to strike entities within government, think tanks, higher education, and transportation sectors in the U.S. and Europe. The adversary claims to share a link to a document that includes questions or topics for the email recipient to review before the meeting. The URL points to a Cloudflare Worker URL that mimics the compromised sender's Microsoft OneDrive account and instructs the victim to copy the provided code and click 'Next' to access the supposed document. Device code phishing was documented in detail by both Microsoft and Volexity in February 2025, attributing the use of the attack method to Russia-aligned clusters such as Storm-2372, APT29, UTA0304, and UTA0307. The October 2025 campaign is assessed to have been fueled by the ready availability of crimeware offerings like the Graphish phishing kit and red-team tools such as SquarePhish. To counter the risk posed by device code phishing, the best option is to create a Conditional Access policy using the Authentication Flows condition to block device code flow for all users. If that's not feasible, it's advised to use a policy that uses an allow-list approach to allow device code authentication for approved users, operating systems, or IP ranges. Threat actors are now targeting technology, manufacturing, and financial organizations in campaigns that combine device code phishing and voice phishing (vishing) to abuse the OAuth 2.0 Device Authorization flow and compromise Microsoft Entra accounts. Unlike previous attacks that utilized malicious OAuth applications to compromise accounts, these campaigns instead leverage legitimate Microsoft OAuth client IDs and the device authorization flow to trick victims into authenticating. This provides attackers with valid authentication tokens that can be used to access the victim's account without relying on regular phishing sites that steal passwords or intercept multi-factor authentication codes. Hackers are abusing the legitimate OAuth redirection mechanism to bypass phishing protections in email and browsers to take users to malicious pages. The attacks target government and public-sector organizations with phishing links that prompt users to authenticate to a malicious application. The malicious OAuth applications are registered with an identity provider, such as Microsoft Entra ID, and leverage the OAuth 2.0 protocol to obtain delegated or application-level access to user data and resources. The attackers create malicious OAuth applications in a tenant they control and configure them with a redirect URI pointing to their infrastructure. The researchers say that even if the URLs for Entra ID look like legitimate authorization requests, the endpoint is invoked with parameters for silent authentication without an interactive login and an invalid scope that triggers authentication errors. This forces the identity provider to redirect users to the redirect URI configured by the attacker. In some cases, the victims are redirected to phishing pages powered by attacker-in-the-middle frameworks such as EvilProxy, which can intercept valid session cookies to bypass multi-factor authentication (MFA) protections. Microsoft found that the 'state' parameter was misused to auto-fill the victim’s email address in the credentials box on the phishing page, increasing the perceived sense of legitimacy. In other instances, the victims are redirected to a 'download' path that automatically delivers a ZIP file with malicious shortcut (.LNK) files and HTML smuggling tools. Opening the .LNK launches PowerShell, which performs reconnaissance on the compromised host and extracts the components required for the next step, DLL side-loading. A malicious DLL (crashhandler.dll) decrypts and loads the final payload (crashlog.dat) into memory, while a legitimate executable (stream_monitor.exe) loads a decoy to distract the victim. Microsoft suggests that organizations should tighten permissions for OAuth applications, enforce strong identity protections and Conditional Access policies, and use cross-domain detection across email, identity, and endpoints.

Open in new tab

VoidProxy phishing service targets Microsoft 365, Google accounts

A new phishing-as-a-service (PhaaS) platform, VoidProxy, targets Microsoft 365 and Google accounts, including those protected by third-party single sign-on (SSO) providers like Okta. The platform uses adversary-in-the-middle (AitM) tactics to steal credentials, multi-factor authentication (MFA) codes, and session cookies in real time. The attack begins with emails from compromised accounts at email service providers, which include shortened links redirecting recipients to phishing sites. The phishing sites are hosted on disposable low-cost domains and protected by Cloudflare to hide their real IPs. Additionally, a new phishing automation platform named Quantum Route Redirect (QRR) is targeting Microsoft 365 users worldwide. QRR uses around 1,000 domains hosted on parked or compromised domains to steal credentials. The attacks start with malicious emails impersonating various services, redirecting users to credential harvesting pages. QRR employs a built-in filtering mechanism to distinguish between bots and human visitors, redirecting humans to phishing pages while sending bots to benign sites. QRR has been observed targeting Microsoft 365 accounts across 90 countries, with 76% of attacks directed at U.S. users. The platform offers advanced features such as a configuration panel, monitoring dashboards, intelligent traffic routing, and an analytics dashboard, making it easier for less technically minded cybercriminals to launch sophisticated phishing campaigns. QRR has been observed in the wild since August 2025 and uses a URL pattern of "/([\w\d-]+\.){2}[\w]{,3}\/quantum.php/" for its phishing campaigns. QRR can bypass Microsoft 365 email protections, including Microsoft Exchange Online Protection (EOP), secure email gateways (SEG), and integrated cloud email security (ICES) products. QRR's intelligent redirect system can differentiate between security tools and human visitors, redirecting security tools to legitimate websites and human visitors to phishing pages. QRR has been observed deceiving web application firewall products, enabling attacks to bypass multiple layers of security.

Open in new tab