This Phishing Tool Loads the Real Login Page—Then Steals Your Password and MFA Code

Most phishing attacks work by showing you a fake version of a login page. The fonts might be slightly off, the URL looks suspicious, and security tools can fingerprint the static HTML to block it. A new phishing as a service platform called Starkiller throws all of that out the window. Instead of cloning login pages, it loads the real thing.

How Starkiller Works

Starkiller operates by spinning up a headless Chrome browser inside a Docker container on an attacker controlled server. When a victim clicks a phishing link, the server loads the genuine login page from the real website, such as Microsoft 365 or Gmail, and serves it directly to the victim through a reverse proxy. Every element on the page is real because it is the real page.

The victim sees the correct logos, the right layout, and even the proper SSL certificate indicators for the proxied content. When they enter their username, password, and MFA code, those credentials pass through the attacker's server on their way to the legitimate service. The attacker captures everything in transit: keystrokes, form submissions, session cookies, and authentication tokens.

Because the victim is actually authenticating with the real service through the proxy, the MFA code works. The attacker then uses the intercepted session tokens to take over the account without needing to reauthenticate.

Why Traditional Defenses Fail

Conventional phishing detection relies on identifying fake pages. Security tools scan for cloned HTML, mismatched certificates, and known phishing templates. Starkiller bypasses all of this because there are no template files to fingerprint or blocklist. The content is loaded dynamically from the real website each time.

The platform also uses a URL trick that exploits how browsers parse web addresses. A Starkiller phishing link might look like login.microsoft.com@malicious-server.ru. Most people see "login.microsoft.com" and trust it, but everything before the @ symbol is treated as a username by the browser. The actual destination is the domain after the @.

Phishing as a Service

Starkiller is operated by a threat group called Jinkusu and sold as a subscription service on the dark web. Buyers get access to a full management dashboard with campaign analytics showing visit counts, conversion rates, and performance graphs. The platform sends automated Telegram alerts when new credentials are captured and includes geo tracking of targets.

Security researchers at Abnormal AI described the platform as "a significant escalation in phishing infrastructure, reflecting a broader trend toward commoditized, enterprise style cybercrime tooling." The service even includes customer support and a user forum for deployment troubleshooting and feature requests.

What This Means for Your Accounts

The core problem is that SMS codes and authenticator app tokens were never designed to resist proxy attacks. When you type a six digit code from your authenticator app, it proves you have the code at that moment. It does not prove you are entering it on the correct website. A proxy sitting between you and the real site relays both sides of the conversation seamlessly.

This matters because most people assume MFA makes their accounts secure. Against traditional phishing, it usually does. Against a real time proxy like Starkiller, it does not.

How to Protect Yourself

The most effective defense against proxy phishing is phishing resistant authentication. Hardware security keys like YubiKeys and passkeys use cryptographic verification that is bound to the legitimate domain. If you try to authenticate through a proxy, the key will not respond because the domain does not match. No code is transmitted, so there is nothing for the attacker to intercept.

• Use passkeys or hardware security keys for any account that supports them, especially email, banking, and cloud services
• Use a password manager that auto fills credentials only on the correct domain, which will refuse to fill on a proxied page with the wrong URL
• Never click login links from emails. Navigate directly to sites by typing the URL or using bookmarks
• Check the full URL carefully, watching for the @ symbol trick and unusual domain names after it
• Enable login notifications so you are alerted immediately if someone accesses your account from an unfamiliar device or location

The Bigger Picture

Starkiller is not an isolated tool. It represents a shift in how phishing infrastructure operates. The days of spotting a fake login page by looking for typos or design inconsistencies are ending. When the phishing page is the real page, the only reliable defense is authentication that cryptographically verifies you are on the right website.

If your accounts still rely on SMS codes or authenticator apps for MFA, consider switching to passkeys or hardware keys. The transition takes minutes for most services, and it is the single most effective step you can take against the next generation of phishing attacks.