Phishing Platforms Now Use Live Website Proxying to Steal Sessions and Bypass MFA
A new generation of phishing toolkits is changing how account takeover attacks are executed. Instead of imitating login pages, attackers are now proxying real authentication portals in real time, allowing them to intercept credentials, authentication tokens, and active user sessions.
One such toolkit, known as Starkiller, demonstrates how phishing infrastructure is evolving into a structured cybercrime platform capable of bypassing multi-factor authentication (MFA).
Real Websites Used Inside Phishing Attacks
Traditional phishing campaigns rely on cloned login pages that imitate well-known brands. These pages must be constantly updated as legitimate services change their interfaces.
The Starkiller toolkit removes that limitation by delivering live content from the actual website being impersonated.
The system launches a containerized browser environment that loads the real login page and forwards all interactions through attacker-controlled infrastructure. To the victim, the page behaves exactly like the original service.
Because the real site is being proxied in real time, there are no phishing templates for security tools to fingerprint or block.
Adversary-in-the-Middle Infrastructure
Technically, the attack operates as an Adversary-in-the-Middle (AiTM) reverse proxy.
Every action performed by the user passes through the attacker’s infrastructure:
keystrokes entered into login forms
authentication requests
multi-factor authentication codes
session cookies and tokens
Once authentication succeeds, attackers can capture the active session tokens and gain access to the account without needing to repeat the login process.
This effectively neutralizes traditional MFA protections.
Phishing-as-a-Service Model
The infrastructure behind Starkiller also illustrates another major shift. Phishing operations are increasingly packaged as platform-style services.
Operators are provided with a centralized dashboard where they can:
select brands to impersonate
supply the legitimate login URL of a target service
generate phishing links
monitor captured sessions in real time
Link masking tools and URL shorteners are integrated directly into the workflow to make phishing messages appear legitimate.
This model significantly reduces the skill level required to conduct advanced identity attacks.
Expanding MFA Bypass Techniques
Recent phishing campaigns show that attackers are also abusing legitimate authentication mechanisms.
One example involves the OAuth device authorization flow, commonly used for logging into applications without a browser.
In these attacks:
- An attacker registers a malicious OAuth application.
- A device authentication code is generated.
- The victim is instructed through phishing messages to enter the code on a legitimate login page.
Because the authentication takes place on the real service, the victim unknowingly grants access to the attacker’s application.
The attacker then receives a valid access token, which can provide persistent access to services such as Microsoft 365 accounts and organizational data.
DIAMATIX Perspective
Identity infrastructure has become the primary attack surface in modern organizations.
Phishing campaigns are no longer limited to stealing passwords. Increasingly, attackers target authentication flows and active session tokens, which allows them to bypass controls that were originally designed to protect credentials.
Several trends are becoming visible:
phishing infrastructure evolving into full platforms
increased use of adversary-in-the-middle techniques
exploitation of legitimate authentication mechanisms
automated workflows enabling attacks at scale
Organizations should adapt their defensive strategies accordingly by focusing on identity-layer monitoring and session protection.
Recommended defensive measures include:
deploying phishing-resistant authentication mechanisms
monitoring anomalous login sessions and token usage
restricting OAuth application approvals
strengthening user awareness around authentication prompts and login flows
As phishing operations become more industrialized, defending identity infrastructure requires visibility not only into credentials, but also into authentication sessions and token activity.
Sources
Public threat intelligence reporting and security research published by Abnormal Security, Datadog, BlueVoyant and other industry researchers examining modern phishing infrastructure.
Trusted · Innovative · Vigilant
