What if MFA is no longer enough? The Starkiller question every firm should ask

Suppose your firm ticked every box on the Cyber Essentials checklist and mandated MFA across all 47 of your internal systems last year. Now suppose a 'Starkiller' proxy rendered that entire investment moot in 14 seconds. This is the reality of Adversary-in-the-Middle (AiTM) phishing—a subscription-based service that bypasses traditional 2FA by relaying live sessions.

That is not a hypothetical designed to frighten you. It is the logical implication of what adversary-in-the-middle phishing, now available as a subscription service, can already do.

What Starkiller actually is

Starkiller is a phishing-as-a-service platform marketed on the dark web. Analysis by Abnormal AI, corroborated by reporting from Krebs on Security, confirms its core mechanism: rather than serving a static clone of a login page, it uses Docker containers running headless Chrome to load the genuine website of the target brand in real time. Microsoft, Google, Apple. The page the victim sees is not a fake. It is the real thing, proxied through Starkiller's infrastructure.

When the victim enters their credentials, those credentials pass through the attacker's relay before reaching the legitimate site. The session is live. The OTP the victim types is captured and forwarded before it expires. The session cookie that results is harvested. The attacker has authenticated access before the victim has finished logging in.

This is not a new concept. Adversary-in-the-middle phishing using reverse proxies has existed in various forms for years. What Starkiller represents is the commoditisation of that technique: a subscription model, a control panel, URL masking, community support. The barrier to deploying a credential-harvesting operation that defeats time-based OTP codes is now a dark web subscription fee and a moderately competent operator.

The claimed success rate of 99.7% is marketing copy and should be treated accordingly. The underlying capability, however, has been independently verified through reverse engineering. That is the figure that matters.

What this means for the assumption that MFA is sufficient

Most firms that have invested seriously in cyber security over the past three years have treated MFA as a near-conclusive answer to credential compromise. That was always a simplification, but it was a defensible one while the attacks required meaningful technical sophistication. It is harder to defend now.

Time-based one-time passwords, the six-digit codes generated by an authenticator app, are relayable. They are valid for a short window, typically 30 seconds, but that window is long enough for an automated relay to forward them to the legitimate site and capture the resulting session token. What Starkiller and tools like it automate is precisely that race against the clock.

The authentication methods that resist this attack are hardware security keys operating under FIDO2 or WebAuthn protocols. A hardware key generates a cryptographic response that is bound to the legitimate domain. A proxy serving the real site from a different domain cannot replicate that binding. The authentication fails at source. For most law firms, however, FIDO2 keys are not yet standard issue. Authenticator apps are. That gap is now material.

Firms relying on SMS-based 2FA are in a worse position still. SMS codes are interchangeable with OTPs for these purposes and carry additional risks from SIM-swapping.

The legal exposure firms are not thinking about

Assume a partner at a mid-size firm clicks a convincing link, enters their Microsoft 365 credentials, types their OTP, and hands the attacker an authenticated session. The attacker accesses matter files, client correspondence, and a deal data room.

Under the UK GDPR and the Data Protection Act 2018, that is a personal data breach. The obligation to assess whether the breach is reportable to the ICO under Article 33 UK GDPR arises within 72 hours of becoming aware. The obligation to notify affected individuals arises if the breach is likely to result in a high risk to their rights and freedoms. Client confidential information in a data room almost certainly clears that threshold.

The SRA's cyber security guidance, while not prescriptive on specific technical controls, requires firms to have appropriate and proportionate measures in place. A firm that had been advised that authenticator-based MFA was insufficient against this class of attack, and had taken no steps to upgrade to phishing-resistant authentication, would face a harder conversation with the regulator following a breach.

There is also an angle that most firms will not have considered. Section 7 of the Proceeds of Crime Act 2002 and the Terrorism Act 2000 impose obligations that sit alongside ordinary breach reporting. If a firm becomes aware that client funds or transactions have been touched by what is, in substance, a fraud enabled by credential theft, the interaction with the National Crime Reporting to Police obligations and potential tipping-off risks requires immediate specialist advice. The pathway from a phished credential to a compromised client account is shorter than most finance teams appreciate.

The operators and users of Starkiller, for completeness, face serious criminal exposure under the Computer Misuse Act 1990: unauthorised access under section 1, and unauthorised acts causing impairment under section 3. The Fraud Act 2006 applies to the downstream use of harvested credentials. The NCA has pursued analogous PhaaS infrastructure before. That is cold comfort to the firm that has already been compromised.

What to do on Monday morning

The practical response is not complicated, but it does require someone with authority to act.

Start with an honest audit of your current MFA deployment. If your firm uses authenticator apps across Microsoft 365 and other critical systems, that is better than SMS, but it is not phishing-resistant. Document what you have. Understand what you are missing.

Consider whether FIDO2-compliant hardware keys are feasible for high-value roles first: partners, finance team members, anyone with access to client funds, data rooms, or sensitive matter files. The cost of a YubiKey is trivial against the cost of a notifiable breach and the associated regulatory correspondence.

Review your incident response plan against this specific scenario. Could your team detect an attacker operating inside a legitimate authenticated session? Session anomaly detection, conditional access policies that flag unusual login locations or device profiles, and behavioural monitoring are the defensive layer that sits above authentication.brief your partners. Not a lengthy written policy. A ten-minute conversation explaining that MFA is no longer a ceiling and that a convincing link can now defeat it. The human element remains the first line of defence, which means it needs to be informed.

Finally, check that your cyber insurance policy covers the scenario where credentials are compromised without a traditional malware infection. Some policies have been written narrowly. Now is the time to find that out.

The question is straightforward: does your firm's security posture rest on an assumption about MFA that is no longer safe to make? If the honest answer is yes, the response is an operational decision, not a theoretical one.