Share
PHISHING TECHNIQUE

Browser-in-the-Middle phishing beats your MFA in 2026

A new phishing-as-a-service kit called Bluekit, reported in late June 2026, does not bother cloning a login page. It streams the real login page to you from a browser the attacker controls. You type your password and finish multi-factor authentication inside their browser, so they walk away with your live, signed-in session. This is the Browser-in-the-Middle technique, and it defeats SMS codes, authenticator apps and push approvals. Here is how it works, how it differs from the lookalike attacks you have heard of, and the one defense that actually holds.

SafeBrowz Threat Research

Quick Take: phishing that defeats MFA

Browser-in-the-Middle (BitM) phishing lets an attacker steal your fully authenticated session, including any MFA you complete, by streaming a real login page to you from their own browser. BleepingComputer and Netcraft reported a phishing-as-a-service kit called Bluekit in June 2026 that builds these attacks at scale, with around 70 live hostnames in a single week and roughly 40 ready-made brand templates. When you click the link in the lure email, Bluekit opens the genuine microsoft.com, google.com or wallet login in a headless browser it controls, then streams that live page to your screen using rrweb DOM serialization over a WebSocket. You see the real site. You type your username, your password, and your SMS code, authenticator code or push approval. All of it lands inside the attacker's browser, so they capture the live session cookie and are signed in as you, with MFA already passed. The lure URL is still a lookalike, so a browser-layer scanner that flags the fake delivery page stops you before the BitM session ever loads. The defense that survives even a perfect BitM page is a phishing-resistant FIDO2 passkey or hardware security key, because its signature is bound to the real site origin, which the attacker's relayed origin cannot satisfy.

What Bluekit is

Bluekit is a phishing-as-a-service (PhaaS) kit, meaning it is sold or rented to other criminals who do not need to build anything themselves. BleepingComputer and the threat-intelligence firm Netcraft documented it in late June 2026. The operators reported around 70 live hostnames in a single week and roughly 40 brand templates ready to go, covering the usual high-value targets: Microsoft 365, Google, and crypto wallet and exchange logins like Ledger.

What sets Bluekit apart from the average phishing kit is the engine underneath. Most kits ship a static clone of a login page, a flat copy of HTML and CSS that an attacker hosts and hopes looks convincing. Bluekit does not clone anything. It uses Browser-in-the-Middle, where the attacker runs a real browser session against the genuine site and pipes that session to you. There is nothing to get wrong in the copy, because there is no copy. You are looking at the real page.

How Browser-in-the-Middle works

The flow is simpler than it sounds, and that is what makes it dangerous.

  • You click a link in a lure. The email, DM or ad sends you to a lookalike URL the attacker owns. This is still an ordinary phishing link, and it is still the weakest point in the whole attack.
  • The attacker's server opens the real login page. On the back end, Bluekit launches a headless browser, a real browser with no visible window, and navigates it to the genuine login page at the actual brand, for example the real Microsoft or Google sign-in.
  • That real page is streamed to you. Bluekit uses rrweb, an open-source library that serializes the live DOM, and sends it to your browser over a WebSocket. Your screen renders a pixel-faithful, interactive view of the real login page. Your clicks and keystrokes are relayed back into the attacker's browser.
  • You complete the whole login, MFA and all. You type your username and password. The real site prompts for your second factor, so you enter your SMS code, tap your authenticator code, or approve the push. Every step happens inside the attacker's browser against the real site.
  • The attacker keeps the live session. Because the real site authenticated the attacker's browser, the session cookie lives in the attacker's browser. They are now signed in as you, with MFA already satisfied. They do not need your password again, and they do not need your second factor again, because a valid session does not re-prompt.

There is no fake "type your code here" box to look suspicious, because the MFA prompt you see is the real one. That is the trick. You are completing genuine multi-factor authentication. You are just doing it on the attacker's behalf.

๐Ÿ›ก LIVE CHECK

Check that login link before you type anything

Got a link asking you to sign in to Microsoft, Google, your bank or a crypto wallet? Paste it below before you enter a password or an MFA code. Our 3-layer engine (Local + APIs + AI) checks the destination against a 550+ brand database and returns a verdict in about 3 seconds. Free, no signup.

Full scan with deep AI analysis โ†’ ยท No URL is logged to your identity.

BitM is not BitB, and it is not AiTM

Three MFA-defeating techniques get confused constantly, and the distinction matters because they fail to different defenses. Here is the precise difference.

Browser-in-the-Browser (BitB): a fake window drawn in the page

In a Browser-in-the-Browser attack, the phishing page draws a fake popup that looks like a real browser sign-in window, complete with a fake address bar showing the real domain. It is all HTML and CSS inside the attacker's page. Nothing is streamed and nothing is proxied. The whole "window" is a picture of a browser. BitB fools your eyes about the address bar. BitM does not need to, because in BitM the page really is the real page.

Adversary-in-the-Middle (AiTM): a reverse proxy relaying the real site

In an Adversary-in-the-Middle attack, the attacker runs a reverse proxy that sits between you and the real site. Your traffic passes through their server to the genuine login and back, and they harvest the session cookie in transit. Kits like Evilginx work this way. AiTM relays your network requests. BitM relays a rendered browser view. The result is similar (the attacker ends up with your session), but the plumbing is different: AiTM proxies the HTTP traffic, while BitM streams the DOM of a browser the attacker is actually driving.

Where BitM sits

All three defeat traditional MFA. SMS codes, authenticator-app codes and push approvals all fall because every one of them gets completed against the real site, just with the attacker in the loop. BitM's specific signature is that it literally streams a remote, attacker-controlled browser to you. That is why screenshot-based and visual phishing detection struggles with it, and why Bluekit adds anti-analysis tricks on top, which we cover below.

Why Bluekit is hard to catch

Bluekit was built to dodge the tools defenders use to find phishing pages.

  • Randomized CSS. The kit varies the page styling on each load to defeat screenshot and visual-similarity detection, the systems that flag a page because it looks like a known brand's login.
  • A custom CAPTCHA that imitates Cloudflare or the target brand. Before you reach the streamed login, you hit a CAPTCHA gate dressed up to look like a Cloudflare check. It adds a layer of legitimacy and blocks automated scanners from reaching the payload. We have seen fake CAPTCHA pages abused this way before.
  • WebRTC-based VPN and proxy detection. The kit uses WebRTC to sniff out researchers and sandboxes connecting through VPNs or proxies, and serves them something harmless instead of the attack, so analysts have a harder time confirming what it does.
  • A built-in AI assistant writes the lures. Bluekit ships a multi-LLM assistant that drafts the phishing emails for the operator, lowering the skill needed to run a convincing campaign and helping the messages dodge simple keyword filters.

This is the same industrialization we documented when the FBI took down an AI phishing service earlier in 2026. The kit does the hard part; the buyer just picks a brand template and presses go.

Red flags before you type

Because the login page itself is genuine in a BitM attack, you cannot rely on spotting a bad-looking page. The signal is everything that happens before the page loads.

  • You arrived from a link, not from typing the address. The single most reliable red flag. If you clicked a link in an email, text, DM, ad or search result to reach a login page, stop. The lure URL is the only fake part of a BitM attack, and it is where your defense lives.
  • The address bar is not the brand's exact domain. Look at the real URL in your own browser's address bar, not at any address shown inside the page. A lookalike, a hyphenated variant, an extra word, or a different top-level domain is the tell.
  • An unexpected "verify your account" or "session expired" prompt. A message that pushes you to log in right now, out of the blue, is engineered urgency. Real sessions do not usually expire by email.
  • A Cloudflare-style check that feels slightly off. A CAPTCHA or "verifying you are human" gate that appears before a login you reached from a link can be the anti-analysis screen in front of a BitM payload.
  • The login feels normal but you cannot remember why you are signing in. If the page is genuinely the real login but you did not initiate the action, the question is not whether the page is real. It is why you are there. That is the moment to close the tab and go to the site directly.

What to do

  1. Never log in from a link. Type the address yourself, or use a saved bookmark. This single habit neutralizes BitM, AiTM and BitB at once, because all three depend on getting you onto an attacker-controlled URL. The login page can be perfect; it still cannot hurt you if you never go there.
  2. Move to phishing-resistant FIDO2 passkeys or a hardware security key. This is the defense that holds even against a flawless BitM page. A passkey or a key like a YubiKey signs a challenge that is cryptographically bound to the real site's origin. When the attacker relays the login through their own origin, that binding fails, and the second factor simply will not complete. SMS, authenticator codes and push approvals do not have this binding, which is why BitM defeats them.
  3. If you suspect you were caught, kill your sessions. Change your password from a device you trust, then sign out of all active sessions in your account security settings. Revoking the session is what actually locks the attacker out, because the stolen cookie is what they hold. Re-enrolling MFA and reviewing recent sign-in activity comes next. See what to do right after a scam for the full sequence.
  4. Check the link before you ever reach the page. A browser-layer scanner that flags the lookalike delivery URL stops the BitM session from loading at all. That is the layer where this attack is beatable.

How to report it

  • Forward the lure to your provider. Microsoft phishing reports go to [email protected], and Google has a report-phishing option in Gmail. Reporting the lure helps providers blocklist the campaign's hostnames.
  • Tell your IT or security team immediately if it is a work account. A stolen Microsoft 365 or Google Workspace session can be used for fraud against your whole organization. Fast session revocation by an admin limits the damage.
  • In the US, report to the FBI Internet Crime Complaint Center at ic3.gov and to the FTC at reportfraud.ftc.gov if you lost money or account access. In the UK, report phishing to Action Fraud and forward suspicious emails to [email protected].
  • Report the phishing URL. Submit the lookalike address to Google Safe Browsing and PhishTank so the next person who gets the same link is warned.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

  • Layer 1 - Local detection: 60+ URL pattern signatures plus a 550+ brand database (Microsoft, Google, Ledger and more included) plus homograph and Punycode checks, all running inside the extension before the page renders. It catches the lookalike delivery URL that a BitM attack depends on, where a non-official host serves a Microsoft- or Google-styled login.
  • Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus and ScamAdviser feeds plus 30+ scam TLD lists to flag hostnames already known to be malicious, which covers Bluekit campaign domains as they get reported.
  • Layer 3 - AI deep scan (Premium): 100+ language content analysis flags a brand-new phishing delivery page in seconds, including a fresh lure URL fronting a Cloudflare-style CAPTCHA gate before a streamed login.

Honest scope: SafeBrowz catches BitM at the delivery layer, the lookalike URL you click, and flags it before the streamed login session ever loads. What it cannot do is undo a session you have already handed over by completing a login on an attacker-controlled URL, because that session cookie now lives in their browser. The browser-layer block is the prevention; pair it with phishing-resistant passkeys so even a missed page cannot complete the second factor. If you think you were caught, revoke your sessions and change your password now.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

Where browser-layer defense fits

A BitM page is the hardest kind of phishing to spot once you are on it, because it is the real login page. The whole game, then, is the moment before. The lure URL is the only fake thing in the attack, and it is checkable. A brand-aware scanner that reads the destination before it renders flags a Microsoft- or Google-styled login on a non-official host and stops you there. SafeBrowz is a free extension for Chrome, Firefox and Edge (Safari coming soon), plus a live SafeBrowz Android app, that checks every URL before it renders against a 550+ brand database, with 60+ URL pattern signatures and optional AI deep scan. Learn how to tell if a website is a scam, see how to spot a Microsoft phishing email, install SafeBrowz, and back it with the rule that beats this whole category: never log in from a link, and use a passkey.

Install SafeBrowz free

Add the browser extension, or the SafeBrowz Android app, that runs every check in this article automatically, on every page, before it renders. It flags the lookalike login link a Browser-in-the-Middle attack depends on, before the streamed session can load. Free forever, with optional Premium AI deep scan at $14.99 per year.

Chrome Add to Chrome Firefox Add to Firefox Edge Add to Edge Google Play Get it on Google Play

See pricing and Premium features

Frequently asked questions

What is Browser-in-the-Middle (BitM) phishing?

Browser-in-the-Middle is a phishing technique where the attacker streams a real login page to you from a browser they control, instead of showing you a cloned copy. When you click the lure link, their server opens the genuine login at the real brand in a headless browser and relays that live page to your screen using rrweb DOM serialization over a WebSocket. You type your password and complete MFA against the real site, but inside the attacker's browser, so they keep the authenticated session cookie. The kit Bluekit, reported by BleepingComputer and Netcraft in June 2026, automates this at scale.

How does BitM defeat multi-factor authentication?

Because you complete the real MFA challenge inside the attacker's browser. The attacker's headless browser is the one talking to the real site, so when you enter your SMS code, authenticator code or push approval, the real site authenticates the attacker's browser. The resulting session cookie lives with the attacker, and a valid session does not prompt for a second factor again. SMS, authenticator apps and push approvals all fall this way. Phishing-resistant FIDO2 passkeys and hardware security keys resist it because their signature is cryptographically bound to the real site's origin, which the attacker's relayed origin cannot match.

How is BitM different from BitB and AiTM?

They are three different MFA-defeating techniques. Browser-in-the-Browser (BitB) draws a fake popup sign-in window inside the phishing page using HTML and CSS, faking the address bar. Adversary-in-the-Middle (AiTM) runs a reverse proxy that relays your network traffic to the real site and harvests the session cookie in transit. Browser-in-the-Middle (BitM) streams a real, attacker-controlled remote browser session to you over a WebSocket. All three end with the attacker holding your session, but BitB fakes the window, AiTM proxies the traffic, and BitM streams the rendered browser.

What is Bluekit?

Bluekit is a phishing-as-a-service kit reported by BleepingComputer and Netcraft in late June 2026 that builds Browser-in-the-Middle attacks for its customers. It was seen with around 70 live hostnames in a single week and roughly 40 brand templates for targets like Microsoft 365, Google and crypto wallets such as Ledger. It adds anti-analysis features: randomized CSS to defeat screenshot detection, a custom Cloudflare-imitation CAPTCHA, WebRTC-based VPN and proxy detection to dodge researchers, and a multi-LLM AI assistant that drafts the phishing emails.

Do passkeys actually stop Browser-in-the-Middle attacks?

Yes, this is the defense that holds. A FIDO2 passkey or hardware security key signs an authentication challenge that is bound to the exact origin of the real website. In a BitM attack the login is relayed through the attacker's origin, so that binding fails and the passkey simply will not complete the sign-in. SMS codes, authenticator codes and push approvals have no origin binding, so they pass through to the real site and get captured. Combine passkeys with never logging in from a link, and BitM has nothing to work with.

Related SafeBrowz coverage

Bottom line: Browser-in-the-Middle phishing wins by showing you the real login page, so you cannot spot it by looking at the page. The Bluekit kit makes these attacks cheap and points them at Microsoft, Google and crypto logins, and any MFA you complete is captured along with your session. The two defenses that actually hold are never logging in from a link and using phishing-resistant passkeys. Keep SafeBrowz on your browser so the lookalike login link is flagged before the streamed session ever loads.