Starkiller Phishing Service Proxies Real Login Pages, Bypasses MFA

A new phishing-as-a-service platform named 'Starkiller' is enabling cybercriminals to bypass traditional detection methods by dynamically loading the *real* login pages of target brands and acting as a stealthy relay between victims and legitimate sites. Unlike static phishing kits, Starkiller uses cleverly disguised links that visually mimic legitimate domains (e.g., 'login.microsoft.com@[malicious URL]') and routes all traffic through attacker-controlled infrastructure. The service proxies the entire authentication session in real-time, capturing usernames, passwords, and multi-factor authentication (MFA) codes as they are entered, then forwarding them to the legitimate site and returning the site's responses to the victim. This technique makes phishing pages far more convincing and harder for anti-abuse systems to detect, as they are essentially serving live, legitimate content. According to an analysis by security firm Abnormal AI, Starkiller allows customers to select from major brands like Apple, Facebook, Google, and Microsoft to impersonate, automating the technical drudgery of configuring servers, domains, and proxies that typically requires some skill. The service lowers the barrier to entry for effective phishing campaigns, posing a significant threat to organizations and individuals relying on MFA as a security layer.