Bluekit PhaaS Adds Browser-in-the-Middle Attacks

Bluekit Phishing Platform Adds Dangerous New Attack Technique

Researchers reported on June 25, 2026, that the Bluekit phishing-as-a-service (PhaaS) platform has added browser-in-the-middle (BitM) capabilities, significantly increasing its threat to businesses and individuals. According to BleepingComputer, researchers also identified nearly 70 new Bluekit-linked hostnames over just the past week — a sign that the platform is scaling rapidly.

Bluekit is a commercial phishing toolkit sold or rented to attackers on a subscription basis, a model that lowers the technical barrier for conducting sophisticated credential-theft campaigns. The addition of browser-in-the-middle functionality marks a meaningful escalation in its capabilities that security teams, small businesses, healthcare organizations, and tax professionals should take seriously.

What Is a Browser-in-the-Middle Attack?

Traditional phishing pages are static imitations of legitimate login screens. They capture a username and password, but once a victim realizes something is wrong — or if multi-factor authentication (MFA) blocks the attacker — the stolen credentials may be useless.

Browser-in-the-middle attacks work differently. Instead of mimicking a login page, a BitM setup proxies a real, live website through attacker-controlled infrastructure. The victim interacts with what appears to be a fully functional, accurate version of the target site — because in many respects, they are. The attacker's server sits invisibly between the user and the legitimate service, relaying traffic in real time while intercepting session cookies, authentication tokens, and login credentials as they pass through.

The critical consequence: session cookies captured this way can allow attackers to hijack an already-authenticated session without ever needing the user's password again. This means that many forms of MFA — including SMS one-time codes and authenticator app codes — may not protect against a successful BitM interception, because the attacker doesn't log in separately; they steal the session that the victim just authenticated.

Why Bluekit's Expansion Is a Meaningful Threat Signal

The nearly 70 new hostnames identified in a single week reflects how rapidly this infrastructure is being deployed. PhaaS platforms like Bluekit commoditize advanced attack techniques, making campaigns that once required considerable technical skill accessible to a much wider pool of threat actors. Healthcare clinics, accounting firms, and small businesses are common targets precisely because they hold valuable credentials and financial data but often have fewer dedicated security resources than large enterprises.

The speed of infrastructure expansion also suggests active, ongoing campaigns rather than a dormant toolkit. Organizations that rely on cloud services, web-based payroll tools, electronic health records (EHR) platforms, or tax software portals are at heightened risk when attackers can convincingly proxy those real services through phishing infrastructure.

What This Means for Your Business

For healthcare practices, tax professionals, and small-business operators, the Bluekit expansion is a practical signal to review several controls now:

• Audit your MFA methods. If your team logs into critical platforms — EHR systems, payroll, financial accounts, cloud storage — using only SMS codes or app-based TOTP codes, evaluate whether those platforms support stronger, phishing-resistant options. FIDO2 security keys and passkeys are currently the most reliable defense against BitM-style credential interception.
• Watch for anomalous session activity. Since BitM attacks steal sessions rather than just passwords, detection often comes from behavioral signals: logins from unexpected geolocations, impossible travel between sessions, or multiple active sessions for the same account at the same time. Enable these alerts wherever your platforms support them.
• Apply conditional access policies. Where available, configure systems to require device compliance or certificate-based authentication before granting access. This can block attackers who have a stolen session token but are operating from an unmanaged or unrecognized device.
• Train staff to scrutinize login redirects. Employees should understand that a login page that looks exactly right can still be a proxy. Encourage a habit of checking the full URL before entering credentials, and establish a clear process for reporting suspicious login prompts to IT or a security contact.
• Monitor newly registered and lookalike domains. The rapid proliferation of Bluekit hostnames means attackers are using domains that may closely resemble your vendors, payroll providers, or banking portals. Threat intelligence feeds and domain-monitoring services can alert you when lookalike domains appear.

The Bigger Picture

The growth of phishing-as-a-service platforms reflects a broader industrialization of cybercrime. Attackers no longer need to build sophisticated tools from scratch — they subscribe to platforms that are actively maintained, updated, and improved, exactly as Bluekit's BitM upgrade demonstrates. For defenders, this means threat capabilities evolve continuously, and controls that were sufficient last year may need reassessment.

For organizations handling sensitive personal, financial, or health data, now is a practical moment to review MFA configurations, session-monitoring capabilities, and employee awareness training — not because a breach has occurred, but because the tools available to attackers have just gotten meaningfully more capable.