A phishing-as-a-service platform called Starkiller is raising the bar for credential theft by proxying real login pages instead of cloning them — capturing credentials, MFA tokens, and session cookies as victims authenticate normally. Krebs on Security has the full breakdown.

How It Works

Starkiller, operated by a threat group called Jinkusu, spins up Docker containers running headless Chrome instances that load the actual login page (e.g., Microsoft 365) and relay it to the victim in real time. The attack chain:

  1. The victim receives a phishing link using URL masking — for example, login.microsoft.com@[malicious-domain] — exploiting how browsers interpret the @ symbol in URLs.
  2. Starkiller’s infrastructure loads the real login page and streams it to the victim as a man-in-the-middle proxy.
  3. The victim interacts with a genuine login page, completes MFA, and authenticates normally.
  4. Starkiller captures every keystroke, form submission, session cookie, and token in real time.

Because the victim sees and interacts with the actual login page, traditional phishing detection based on fake page layouts or domain reputation is far less effective.

Why It Matters

The platform includes real-time session monitoring, keylogging, geo-tracking, automated Telegram alerts for stolen credentials, and campaign analytics — all packaged for customers with minimal technical skills. Security firm Abnormal AI, which analyzed the service, calls it “a significant escalation in phishing infrastructure” that gives low-skill attackers capabilities previously out of reach.

This is part of a broader trend of adversary-in-the-middle (AiTM) phishing toolkits that render traditional MFA insufficient on its own.

What to Do

  • Deploy phishing-resistant MFA. FIDO2 security keys and passkeys bind authentication to the legitimate domain, making proxy-based interception useless.
  • Enforce conditional access policies. Require managed or compliant devices and block sign-ins from unrecognized platforms.
  • Train users on URL inspection. Staff should know that an @ symbol in a URL redirects the browser to whatever follows it — login.microsoft.com@evil.com goes to evil.com.
  • Monitor for token theft. Watch for session tokens being used from unexpected locations or devices shortly after authentication.
  • Use browser isolation or secure web gateways. These can break the proxy chain by preventing direct interaction with attacker-controlled infrastructure.