Meet Bluekit: The AI-Powered All-in-One Phishing Kit

What Happened

Security researchers have discovered a new, all-in-one phishing tool called Bluekit that makes it easier for cybercriminals to launch attacks. This tool provides everything a hacker needs in one place, including fake website templates for popular services like Microsoft, Google, and Apple, as well as an AI assistant to help write convincing scam emails. It is particularly dangerous because it can steal not just passwords, but also the special 'session cookies' used to bypass two-factor authentication. Organizations should ensure they are using strong, phishing-resistant authentication methods like security keys and train employees to recognize sophisticated email lures.

Key Takeaways

• Bluekit is a comprehensive Phishing-as-a-Service (PhaaS) platform offering 40+ templates, automated domain management, and built-in evasion tools.
• The kit features an integrated AI Assistant utilizing uncensored models (like an abliterated Llama 3 70B) to generate phishing campaign drafts and lures.
• Post-compromise capabilities include session state tracking, live screen viewing, and automated dumping of cookies and local storage to bypass MFA.
• Bluekit centralizes operations, using Telegram as the default exfiltration channel for captured credentials and session tokens.
• The platform is in active development, frequently adding new templates (e.g., Gmail passkey) and evasion features to block security scanners.

Affected Systems

• Microsoft 365
• Google Workspace
• Apple iCloud
• GitHub
• ProtonMail
• Various consumer and enterprise web services

Attack Chain

Operators purchase or connect domains directly within the Bluekit panel and select a target template (e.g., Microsoft 365, Gmail). The kit deploys a phishing page with built-in anti-analysis controls to block proxies, VPNs, and headless browsers. When a victim interacts with the page, Bluekit captures their credentials and uses a reverse-proxy or similar mechanism to handle the post-login session, dumping cookies and local storage every 30 seconds. The stolen data and session tokens are then exfiltrated to the operator, typically via a configured Telegram bot.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules or queries.

Detection Engineering Assessment

EDR Visibility: Low — This is primarily a web-based threat targeting cloud identities and session tokens; EDR on the endpoint has limited visibility into the phishing infrastructure itself, though it might see the initial email or link click. Network Visibility: Medium — Network tools can detect connections to known bad domains or anomalous traffic patterns associated with reverse-proxy phishing, but HTTPS encrypts the payload. Detection Difficulty: Moderate — Detecting the infrastructure requires robust threat intelligence and analyzing identity logs for impossible travel or anomalous session cookie usage, as the kit actively blocks automated scanners and headless browsers.

Required Log Sources

• Web Proxy Logs
• DNS Logs
• Cloud Identity Provider Logs (Azure AD, Google Workspace)
• Email Gateway Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for anomalous session cookie usage where a session token is suddenly used from a new, unrecognized IP address or ASN shortly after initial authentication, indicating potential session hijacking via tools like Bluekit.	Cloud IdP Logs	Credential Access	Medium
Search for inbound emails containing QR codes (quishing) combined with urgent lures related to MFA re-verification or executive themes.	Email Gateway Logs	Initial Access	Low

Control Gaps

• Standard MFA (SMS/Push) is vulnerable to session token theft via reverse-proxy phishing.
• Automated web scanners and threat intel crawlers may be blocked by the kit's anti-headless and anti-proxy filters.

Key Behavioral Indicators

• Rapid sequence of login followed by immediate session token extraction.
• Connections to newly registered domains with Let's Encrypt certificates used for cloud service logins.

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Block known Bluekit domains (e.g., bluekit.pk) at the network perimeter and DNS level.
• Search email gateways for recent campaigns utilizing QR codes for MFA re-verification.

Infrastructure Hardening

• Implement Phishing-Resistant MFA (e.g., FIDO2/WebAuthn security keys) to mitigate the risk of reverse-proxy credential harvesting and session theft.
• Configure conditional access policies to require re-authentication or block access from anomalous IP addresses and unmanaged devices.

User Protection

• Deploy advanced email security solutions capable of analyzing QR codes and identifying AI-generated phishing lures.
• Ensure endpoint browsers are updated and utilize safe browsing features.

Security Awareness

• Train employees, especially executives, on the risks of 'quishing' (QR code phishing) and the signs of sophisticated MFA bypass attacks.
• Instruct users to never scan work-related QR codes with personal devices unless explicitly verified by IT.

MITRE ATT&CK Mapping

• T1583.008 - Acquire Infrastructure: Malicious Software
• T1583.001 - Acquire Infrastructure: Domains
• T1566.002 - Phishing: Spearphishing Link
• T1111 - Two-Factor Authentication Interception
• T1539 - Steal Web Session Cookie
• T1562.001 - Impair Defenses: Disable or Modify Tools

Additional IOCs

• Other:
  • failspy/Meta-Llama-3-70B-Instruct-abliterated-v3.5 - Specific uncensored AI model used by the kit's AI Assistant to generate phishing lures.