Netcraft: Bluekit PhaaS uses Browser-in-the-Middle (rrweb DOM streaming) to defeat FIDO2 and DBSC

Netcraft published a technical breakdown (2026-06-25) of Bluekit, a phishing-as-a-service platform first documented by Varonis Threat Labs (2026-04-29) and now seen by Netcraft at scale (~70 active hostnames in a single week) (Netcraft, 2026-06-25; Varonis, 2026-04-29). Bluekit's distinguishing technique is Browser-in-the-Middle (BitM): instead of proxying the victim's HTTP traffic the way Evilginx/AiTM kits do (which leaves session-fingerprint mismatches), it runs a real automated browser on attacker infrastructure and streams its live DOM to the victim over WebSocket using the open-source rrweb DOM-serialisation library. The victim's keystrokes and clicks are relayed into the attacker's browser and executed against the genuine site, so the session is created in and owned by the attacker from the start — which is why Device Bound Session Credentials (DBSC, which bind tokens to the legitimate device's keys) provide no protection, and why FIDO2/WebAuthn is bypassed (the attacker's browser completes the relying-party challenge on the victim's behalf). Anti-analysis: per-load randomised CSS filter values to defeat screenshot pixel-hashing, >1 MB rotating obfuscated JS bundles, brand-impersonating CAPTCHA, and WebRTC IP-mismatch checks to spot analyst proxies. Detection concepts: rrweb presence outside legitimate analytics; WebSocket streams of binary/encrypted DOM diffs to unexpected origins; sub-second form-submission round-trip latency characteristic of BitM relay; randomised CSS filter rules on top-level HTML. Relevant because Microsoft 365 / Entra ID tenants — including Swiss and EU public-sector ones — are named targets, and BitM degrades the "phishing-resistant MFA solves this" assumption.