Bluekit: New Phishing Kit With Built-In MFA Bypass #cybersecurity #phishing #mfa

A new phishing-as-a-service kit ships with an AI assistant, voice cloning, and a built-in MFA bypass. The kit, called Bluekit, lets buyers run AitM phishing with zero setup. Varonis Threat Labs got access to Bluekit's dashboard and published a breakdown this week. The kit comes with 40+ templates impersonating Gmail, Outlook, ProtonMail, iCloud, Apple ID, GitHub, Twitter, Zoho, Zara, and Ledger. Its phishing pages run as adversary-in-the-middle proxies — the victim's password and MFA code go through the proxy in real time, and the kit walks away with the post-login session cookie that the real service issues. App-based codes, SMS codes, and push notifications all get bypassed. The only MFA that resists this is hardware-backed: passkeys and security keys, which are tied to the real domain and refuse to authenticate against a lookalike. Varonis says the AI assistant — buyer's pick of Llama, GPT-4.1, Claude, Gemini, or DeepSeek — produced only campaign skeletons that would need cleanup before use; the more dangerous feature is the all-in-one packaging. Varonis says Bluekit appears to be under active development and is likely to surface in future campaigns; no live ones have been tied to it yet. Sources: https://www.varonis.com/blog/bluekit · https://www.bleepingcomputer.com/news/security/new-bluekit-phishing-service-includes-an-ai-assistant-40-templates/ More on cybersecurity, privacy, scams, and homelab on Hake Hardware. New shorts every weekday.