Multi-Factor Authentication (MFA) has become one of the most widely adopted security controls for protecting user accounts. However, attackers are increasingly developing phishing platforms specifically designed to bypass MFA rather than defeat it.
New reporting from Cybersecurity News reveals that BlueKit, a Phishing-as-a-Service (PhaaS) platform, enables cybercriminals to steal credentials, bypass Multi-Factor Authentication, and hijack authenticated user sessions.
The campaign demonstrates how phishing has evolved beyond simple credential theft into full session compromise, allowing attackers to gain access without needing to repeatedly authenticate.
BlueKit is a phishing kit offered as a service, making sophisticated phishing campaigns accessible even to less experienced threat actors.
Instead of building phishing infrastructure from scratch, attackers can leverage BlueKit to launch campaigns capable of:
This lowers the barrier to entry while increasing the scale of phishing operations.
According to the report, BlueKit is designed to capture user credentials and authenticated sessions in real time.
Attackers first lure victims to phishing pages that closely resemble legitimate login portals.
These pages are designed to convince users they are accessing trusted services.
When users enter their usernames and passwords, BlueKit immediately captures the credentials.
Unlike traditional phishing kits, the attack does not stop there.
As users complete Multi-Factor Authentication, BlueKit captures the authentication flow.
Instead of simply stealing passwords, the platform intercepts the authenticated session, allowing attackers to bypass MFA protections.
Once authentication is complete, BlueKit captures the user’s active session.
The attacker can then use the stolen session to access the victim’s account without needing to authenticate again.
This allows adversaries to bypass MFA while appearing as a legitimate authenticated user.
Stealing passwords alone is often no longer sufficient because organizations increasingly enforce MFA.
Session hijacking changes the equation.
Instead of attacking authentication directly, attackers steal the authenticated session after the user has already completed MFA.
This creates several challenges:
As a result, organizations relying solely on MFA may still be vulnerable to sophisticated phishing campaigns.
BlueKit reflects a growing shift toward identity-focused attacks.
Rather than targeting systems, attackers increasingly focus on:
Identity has become one of the most valuable assets in modern cyber operations.
Detecting session hijacking requires continuous monitoring of identity behavior, authentication patterns, and user activity after login.
Seceon’s aiSIEM / CGuard helps organizations:
By correlating identity events across cloud and on-premises environments, Seceon helps expose attacks that bypass traditional login controls.
Seceon’s aiXDR-PMax provides visibility into:
This enables security teams to identify malicious activity even after authentication has been bypassed.
For organizations operating in regulated industries, aiCompliance CMX360 helps:
This is particularly valuable for organizations handling financial, healthcare, or personally identifiable information.
BlueKit demonstrates that phishing is no longer limited to stealing usernames and passwords. Modern phishing platforms are designed to capture authenticated sessions, effectively bypassing Multi-Factor Authentication.
As attackers continue targeting identities instead of infrastructure, organizations must extend security beyond the login process and continuously monitor user behavior after authentication.
In today’s threat landscape, protecting identities means detecting not just who logged in, but whether their authenticated session is being used as intended.
