A new and highly sophisticated phishing-as-a-service (PhaaS) platform, dubbed "Starkiller," is elevating the threat landscape by employing a cunning proxy-based attack method. Unlike traditional phishing kits that host static copies of login pages, Starkiller dynamically loads the *actual, live* login page of the target brand—such as Microsoft, Apple, or Google—directly from the legitimate domain. It then positions itself as a malicious man-in-the-middle, seamlessly relaying all data, including usernames, passwords, and crucially, multi-factor authentication (MFA) codes, between the victim and the real site. This technique not only creates a highly convincing phishing experience that can bypass user scrutiny but also successfully defeats one-time codes from authenticator apps or SMS, as the proxy submits them in real-time to complete the login on the genuine service.
The service democratizes advanced cybercrime by removing significant technical barriers. Aspiring phishers no longer need expertise in configuring servers, domains, SSL certificates, or proxy services. Through a user-friendly interface, Starkiller customers simply select a brand to impersonate. The platform then generates a deceptive URL that visually spoofs the legitimate domain while routing all traffic through the attacker's infrastructure. A common trick involves using the "@" symbol in the link (e.g., `login.microsoft.com@[malicious-domain].ru`). In a URL, everything before the "@" is often interpreted as username data by browsers, meaning the victim sees a familiar domain prefix while being silently redirected to the attacker's server hosted on a completely different domain, frequently using .ru or other generic top-level domains (TLDs).
According to a detailed analysis by security firm Abnormal AI, Starkiller's operational model presents a formidable challenge for both users and automated detection systems. Because the final page presented to the victim is the authentic website—fetched live from the internet—traditional indicators like poor HTML quality or incorrect logos are absent. The service also integrates with various URL-shortening services to further obfuscate the final malicious destination. This proxying capability means that even security-conscious users who check for valid HTTPS certificates will see a legitimate connection to the real brand's domain, as the proxy fetches the content directly from the source.
The emergence of Starkiller signals a dangerous evolution in the phishing economy, moving from amateurish kits to professional, service-oriented platforms that lower the entry bar for high-impact attacks. Its ability to harvest MFA tokens in real-time is particularly alarming, as it nullifies a core defensive layer relied upon by millions of organizations and individuals. Defending against such threats requires a shift beyond user awareness to more robust technical controls. Organizations should implement phishing-resistant MFA methods, such as FIDO2/WebAuthn security keys, and employ advanced email security solutions that can analyze link behavior and proxy patterns. For individuals, vigilance remains key: carefully inspecting the *entire* URL in the address bar before entering credentials and being wary of login links in unsolicited communications are essential practices in an era where the phishing page you see may be disturbingly real.
