Cybersecurity researchers have identified a new phishing platform called Starkiller that uses a reverse proxy to bypass multi-factor authentication by streaming live content from legitimate websites. This tool, along with the evolving 1Phish kit, represents a shift toward phishing-as-a-service models that allow low-skill attackers to execute sophisticated account takeovers at scale.
Researchers have uncovered a sophisticated new phishing toolkit named Starkiller that enables attackers to bypass multi-factor authentication by acting as a live intermediary between a victim and a legitimate website. Marketed by a group known as Jinkusu, the platform uses a headless browser within a container to mirror real login pages in real-time. This method ensures that the phishing content is always identical to the actual site, preventing security software from using traditional file-based signatures to block the attack. Because the system proxies the live session, it can capture keystrokes, form data, and session tokens as they are entered by the user.
At the same time, existing phishing tools are becoming significantly more advanced through iterative development. The 1Phish kit, for example, recently transitioned from a basic credential harvester into a complex multi-stage system specifically targeting 1Password users. The latest versions of this kit include advanced features such as browser fingerprinting to filter out security bots and the ability to intercept one-time passcodes and recovery codes. These updates demonstrate a deliberate effort by developers to increase the success rates of their campaigns while making them harder for automated security systems to analyze.
The rise of these turnkey solutions like Starkiller and 1Phish is effectively turning high-level cybercrime into a subscription-style workflow. By centralizing infrastructure management and session monitoring into a single dashboard, these platforms lower the technical barrier for entry. This democratization of cybercrime allows individuals with minimal technical expertise to launch attacks that were previously only possible for advanced persistent threat groups. The goal is to provide a seamless experience for the attacker while maintaining a highly convincing environment for the victim.
In addition to reverse proxy kits, attackers are leveraging legitimate authorization protocols to gain unauthorized access to corporate accounts. Recent campaigns targeting North American businesses have abused the OAuth 2.0 device authorization flow to compromise Microsoft 365 accounts. In these scenarios, victims are tricked into entering an attacker-provided code into a legitimate Microsoft login portal. This action authorizes the attacker’s malicious application, granting them persistent access to the victim’s emails and corporate data without ever needing to steal a password directly.
These developments highlight a broader trend of increased sophistication across the phishing landscape, including targeted attacks against financial institutions in the United States. Throughout late 2025, researchers observed waves of activity that evolved from simple credential harvesting to more complex operations. As phishing tools continue to integrate live proxying and legitimate authentication flows, the challenge for organizations remains defending against attacks that look and behave exactly like the official services their employees use every day.
Source: Starkiller Phishing Suite Uses AitM Proxy To Evade Multi-Factor Authentication