Starkiller phishing shifts the burden from page checks to session abuse

At a glance

What this is: Starkiller is a commercial phishing platform that proxies live login pages to capture credentials, OTPs, and session cookies in real time.

Why it matters: It matters because IAM, NHI, and human identity teams now need to detect session abuse and inbox-driven delivery, not just block cloned pages or stolen passwords.

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.
• 69% of organisations now have more machine identities than human ones.
• 57% of organisations lack a complete inventory of their machine identities.
• 53% of organisations have experienced a security incident directly related to machine identity management failures.

👉 Read Abnormal AI's analysis of Starkiller's live proxy phishing infrastructure

Context

Starkiller shows how phishing has moved beyond static credential capture into live session theft. The core problem is not the fake login page itself, but the attacker-controlled relay that can forward a real authentication flow, collect one-time codes, and steal the resulting session.

For identity teams, that changes the control problem. Human MFA can still be working as designed while the attacker simply reuses the authenticated session, which means detection has to shift toward anomalous logins, session token reuse, and inbox behaviour that indicates the delivery channel is being weaponised.

Key questions

Q: How should security teams defend against phishing kits that proxy real login pages?

A: Treat the login page as the least reliable signal. Focus on session behaviour after authentication, especially token reuse from unusual locations, device drift, and follow-on mailbox activity. If a kit relays the real site, page fingerprinting and clone detection will miss the attack, so identity telemetry has to carry the detection burden.

Q: Why do phishing kits that capture OTPs still bypass MFA?

A: Because the attacker is not defeating the factor, they are relaying it in real time and stealing the resulting authenticated session. Once the cookie or token is issued, the attacker can reuse it without presenting the password or OTP again. MFA protects the authentication event, but not necessarily the post-authentication session.

Q: What breaks when organisations only rely on static phishing detection?

A: They miss live proxy attacks that deliver the real website content through attacker infrastructure. There is no fixed template to fingerprint, so blocklists and page similarity tools lose their main signal. The failure mode is a valid-looking page with malicious session handling behind it, which requires behavioural detection instead.

Q: Who is accountable when a stolen session is used for follow-on phishing?

A: Accountability sits across identity, messaging, and security operations. Identity teams own session controls and anomalous login detection, messaging teams own delivery-path abuse, and SOC teams own containment of reused tokens and mailbox compromise. A stolen session is not just a phishing issue, because it becomes an access and lateral-movement problem once it is reused.

Technical breakdown

Headless Chrome reverse proxying and live page relay

Starkiller replaces the static HTML clone with a headless Chrome browser inside a Docker container. The browser loads the real site, then relays the rendered page and user inputs through attacker-controlled infrastructure. That removes the brittle template layer many defenders rely on, because there is no fixed phishing page to fingerprint or compare against a blocklist. The architecture also means each victim sees current content from the legitimate site, so even small UI changes do not expose the fraud. Practical implication: rely less on page similarity checks and more on session and identity telemetry.

Practical implication: move detection toward session-level telemetry instead of page fingerprinting.

MFA bypass through real-time token capture and session hijacking

The attack succeeds because the target authenticates against the legitimate service in real time while the attacker sits in the middle. OTP codes, authentication tokens, and cookies are passed through the proxy and then harvested for reuse, which makes the MFA factor visible to the attacker at the moment it is validated. Once the session cookie is stolen, the attacker no longer needs the password or the second factor. The issue is not MFA weakness in isolation, but session continuity after authentication. Practical implication: treat authenticated session reuse as a primary control point, not a side effect.

Practical implication: instrument session reuse and token replay as first-class detection signals.

URL masking, inbox delivery, and post-compromise expansion

Starkiller combines URL masking, brand impersonation, and automated infrastructure management to reduce operator skill requirements. The lure may arrive through email, and the platform can harvest inbox and contact data from compromised sessions for follow-on campaigns. That creates a compounding effect where one successful compromise feeds the next wave of targeting, especially when defenders focus only on the initial link rather than the post-login behaviour. Practical implication: correlate email telemetry with identity telemetry so a delivered lure and a stolen session are treated as one attack chain.

Practical implication: correlate inbox, login, and token-behaviour signals into a single response path.

Threat narrative

Attacker objective: The attacker wants authenticated access that survives MFA so they can take over accounts and use compromised inboxes to expand the campaign.

1. Entry begins when a phishing email delivers a Starkiller link that impersonates a trusted brand and sends the victim into a live proxy session.
2. Credential harvesting occurs in the real login flow, where the attacker captures the password, OTP, and session cookies as the target authenticates normally.
3. Impact follows when the stolen authenticated session is reused for account takeover and downstream lateral phishing using harvested inbox contacts.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Static phishing detection is now a broken premise. Starkiller works because defenders have long assumed the malicious page is a static object that can be fingerprinted, compared, and blocklisted. Once the attacker proxies the real site live, that assumption fails because every victim sees current legitimate content rather than a template. The implication is that phishing defence must stop treating page appearance as the primary trust signal.

Session continuity has become the real control boundary. This platform shows that MFA can validate the user and still fail to protect the session that follows. The meaningful security question is no longer whether a factor was presented, but whether the resulting cookie or token can be replayed from a different context without detection. Practitioners should reframe identity defence around session integrity, not just authentication success.

Inbox behaviour is part of identity governance now. Starkiller’s delivery model uses email as the access path and harvested inboxes as expansion fuel, which means the email system becomes part of the identity attack surface. That collapses the old split between phishing prevention and access governance. Organisations that manage mail, login, and session telemetry separately will miss the compounded attack path.

Ephemeral session trust debt is the named concept this threat exposes. Starkiller creates a short-lived but highly privileged trust window that exists only long enough for the attacker to capture and reuse the session. The debt is that enterprise controls often assume trust will be revoked through password change or MFA enforcement, when the real asset is the session artifact already issued. Practitioners should treat that trust window as a primary governance gap.

Human IAM and NHI governance are converging at the session layer. Although this attack targets humans, the same replay and token abuse patterns are already familiar in NHI incidents involving API keys and service account tokens. The field is moving toward one shared problem: any bearer artifact that can be reused outside its original context becomes a governance liability. Teams should align human and machine session controls under a single identity risk model.

From our research:

• 57% of organisations lack a complete inventory of their machine identities, according to The Critical Gaps in Machine Identity Management report.
• Another finding from the same research shows that 53% of organisations have experienced a security incident directly related to machine identity management failures.
• For a broader breach lens on identity exposure patterns, see 52 NHI Breaches Analysis, which maps recurring access and token abuse failures across real incidents.

What this signals

Ephemeral session trust debt: Starkiller reinforces the idea that a stolen session is a high-value identity artifact, even when the password and MFA factor were both legitimate at login. Programmes that separate email security from identity analytics will under-detect that trust window.

The practical shift is toward shared telemetry across inbox, browser, and authentication layers. If your response model cannot see anomalous logins, token reuse, and message-driven delivery in one place, the attacker will keep the advantage after the user has already authenticated.

With 69% of organisations now having more machine identities than human ones, per The Critical Gaps in Machine Identity Management report, the same bearer-token logic that makes human session theft dangerous is already the dominant governance problem in machine access.

For practitioners

• Instrument session replay detection Correlate login success with subsequent token reuse, location change, and device drift so a valid authentication does not become a blind spot. Feed these signals into SIEM and identity analytics rather than relying only on conditional access outcomes.
• Harden inbox-to-login attack paths Treat email, identity, and browser telemetry as one chain. Flag brand-impersonation messages that lead to real login pages, especially when the sender pattern, URL structure, or recipient behaviour diverges from normal business communications.
• Reduce trust in bearer sessions Shorten the practical lifetime of sensitive sessions, require re-authentication for high-risk actions, and tie session validity to context changes that are difficult for a relay to preserve. That limits the value of a stolen cookie after the fact.
• Test inbox-driven phishing resistance Run exercises that start with email delivery and end with session reuse, not just credential entry. Measure how quickly defenders can identify anomalous logins, review token activity, and contain compromised inboxes before they are reused for follow-on targeting.

Key takeaways

• Starkiller shows that phishing is no longer just a problem of fake pages, but of stolen authenticated sessions that survive MFA.
• The scale problem is behavioural, not cosmetic: live proxying, token capture, and inbox harvesting defeat the controls many teams still depend on.
• Defenders need to move from static page inspection to session integrity, login anomaly detection, and unified email-to-identity response.

Key terms

• Live proxy phishing: A phishing method that forwards a victim's login session through attacker-controlled infrastructure in real time. The target interacts with a legitimate site while the attacker captures credentials, MFA responses, cookies, and tokens, making the attack harder to detect than static page cloning.
• Session replay: The reuse of an authenticated session artifact such as a cookie or token from a different device, location, or process than the one that created it. In identity governance, replay turns successful authentication into ongoing unauthorized access unless the session is bound to context and monitored.
• Ephemeral session trust debt: The risk created when organisations assume a short-lived session is inherently safe, even though it can carry privileged access and be reused immediately after capture. The debt appears when controls focus on login success rather than the trust granted to the session artifact itself.
• Inbox-to-identity attack chain: A chain in which email delivery leads directly to identity compromise and then to additional targeting from the compromised inbox. It matters because messaging security, authentication, and session governance become one threat surface rather than separate control domains.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.

This post draws on content published by Abnormal AI: Starkiller uses headless Chrome to proxy live login pages and bypass MFA. Read the original.