Over the past several years, the cybersecurity community has been repeating a single message:
Deploy Multi-Factor Authentication (MFA).
And for good reason. Password theft has been the single most common path into organizations for over a decade. MFA was supposed to close that door.
But a new wave of phishing tools, including kits like Starkiller, are now bypassing traditional MFA implementations entirely.
This shouldn't surprise anyone paying attention.
The uncomfortable truth is this:
We solved yesterday's problem and stopped moving forward.
Now attackers have caught up.
Phishing kits like Starkiller represent the industrialization of modern cybercrime.
These tools allow attackers to:
• Proxy login sessions
• Intercept authentication tokens
• Capture MFA approval sessions in real time
• Replay authenticated sessions after a user signs in
In simple terms, the attacker sits between the user and the login portal, capturing the authentication process as it happens.
The user believes they successfully logged in.
But so did the attacker.
This technique, often called Adversary-in-the-Middle (AiTM) phishing, renders many traditional MFA deployments ineffective.
And that exposes an uncomfortable gap in how many organizations implemented MFA in the first place.
Most companies deployed the easiest MFA available, not the most secure MFA available.
Push notifications.
SMS codes.
Authenticator apps.
These were major improvements over passwords alone. But they were never designed to stop modern phishing infrastructure.
Now the threat actors have caught up.
The next step is already well understood.
We just haven't deployed it widely yet.
Phishing-resistant MFA.
CISA, NIST, and nearly every modern security framework now recommend authentication methods that cannot be intercepted or replayed by phishing proxies.
These include:
• FIDO2 security keys
• Hardware authenticators
• Passkeys tied to device cryptography
• Platform biometrics tied to device trust
Unlike traditional MFA, these authentication methods rely on cryptographic challenges bound to a specific domain and device.
Even if an attacker proxies the login page, the authentication simply will not work.
The credential cannot be replayed.
The authentication cannot be redirected.
This is the direction identity security is moving, and organizations need to start planning that migration now.
The Starkiller conversation exposes another issue we don't talk about enough.
Many organizations still rely on employees to manage dozens, sometimes hundreds, of passwords manually.
That inevitably leads to:
• Password reuse
• Weak passwords
• Storing credentials in browsers
• Writing passwords down
• Credential reuse across personal and corporate accounts
Attackers know this. They harvest credentials from breaches and simply try them everywhere.
The answer here isn't complicated.
Organizations should be deploying enterprise password managers across their workforce.
When implemented properly, password managers:
• Generate strong unique credentials
• Prevent password reuse
• Reduce phishing success rates
• Improve credential hygiene across the organization
Password managers aren't glamorous security technology.
But they eliminate one of the most common weaknesses attackers exploit.
Technology alone will never solve the phishing problem.
Even the most advanced security controls still rely on one thing:
People recognizing when something isn't right.
Organizations should be investing in regular phishing simulation and training programs, not annual compliance videos.
The most effective programs combine:
• Ongoing phishing simulations
• Short targeted training modules
• Real-world examples of current attack campaigns
• Executive awareness briefings
The goal isn't perfection.
The goal is creating a workforce that pauses before clicking.
Because attackers only need one employee to get it wrong.
While identity attacks are dominating the headlines right now, several other security controls continue to be overlooked.
Many of the largest breaches over the past decade have originated from trusted vendors and suppliers.
Organizations need visibility into:
• Vendor security practices
• Software dependencies
• Managed service provider access
• API integrations and data sharing
Your security posture is only as strong as the weakest partner connected to your network.
Passkeys represent one of the most promising developments in identity security.
Built on FIDO standards, passkeys allow authentication using:
• Device biometrics
• Trusted hardware modules
• Cryptographic key pairs instead of passwords
The result is an authentication model that is inherently resistant to phishing and credential theft.
Adoption is still early, but the trajectory is clear.
Passwords are slowly being phased out.
As organizations shift to cloud applications and remote work, the traditional network perimeter continues to dissolve.
SASE architectures combine:
• Zero Trust access controls
• Secure web gateways
• Cloud firewall capabilities
• Identity-based access policies
Instead of trusting a network location, SASE trusts the identity of the user and the posture of the device.
This is becoming a critical component of modern security architecture.
Identity attacks like Starkiller are only one part of a much larger shift in the cyber threat landscape.
Organizations are simultaneously facing emerging risks from:
• AI-generated phishing and deepfakes
• Rapidly improving phishing automation
• Global geopolitical cyber conflict
• Exploding Internet of Things (IoT) attack surfaces
• Expanding 5G infrastructure
• The long-term implications of quantum computing
• Supply chain compromise campaigns
The threat environment is evolving quickly.
Defensive strategies need to evolve just as fast.
In military aviation, a strike package is a coordinated mission involving multiple aircraft performing different roles to achieve a single objective.
Cybersecurity works the same way.
No single control stops modern attacks.
But the combination of several well-implemented controls can dramatically reduce risk.
A modern defensive strike package should include:
• Phishing-resistant MFA
• Enterprise password managers
• Ongoing phishing awareness training
• Passkey and FIDO adoption planning
• Third-party risk management programs
• Identity-centric security architectures like SASE
None of these are theoretical.
The tools already exist.
The guidance already exists.
What remains is the hard part: actually deploying them.
Because the attackers are not slowing down.
And the next wave of phishing infrastructure is already being built.