What happened
Security researchers have uncovered a new phishing-as-a-service (PhaaS) toolkit called Starkiller that proxies real login pages and captures credentials, session tokens, and multifactor authentication (MFA) data in real time, enabling attackers to bypass MFA protections and gain access to accounts.
Who is affected
Organizations using web-based login portals for cloud services, including email, collaboration tools, and financial accounts for which employees authenticate with MFA, are at risk, as Starkiller can target any service where credentials and MFA responses are entered.
Why CISOs should care
MFA has been a cornerstone of identity security, but tools like Starkiller demonstrate that traditional MFA alone is no longer sufficient protection when attackers can capture and reuse authentication flows in real time. The platform is sold on dark web subscription models with updates, user interfaces and support, lowering the barrier to high-end phishing campaigns and potentially increasing the scale of attacks.
3 practical actions
- Enhance detection beyond MFA checks: Implement behavioral and identity-aware security monitoring that flags anomalies such as session token reuse, impossible travel, or unusual device patterns, not just whether MFA was completed.
- Educate and test users regularly: Phishing remains the primary distribution vector for kits like Starkiller. Run frequent training and simulated campaigns to reinforce identification of deceptive URLs and phishing indicators.xz
- Adopt phishing-resistant authentication: Where possible, deploy MFA methods that are resistant to real-time phishing (such as hardware tokens or FIDO2/WebAuthn) and tighten conditional access policies to include context like location and device health.