Defeating Starkiller: When MFA isn't enough against reverse proxy phishing

Just caught the Krebs article on the 'Starkiller' PhaaS offering. It's essentially a streamlined version of reverse proxy attacks (like Evilginx2) that allows attackers to proxy legitimate login pages in real-time. The user interacts with the real site via the attacker's infrastructure, meaning all the HTML/JS is legitimate, making static analysis almost useless.

The core issue here is that this effectively neutralizes TOTP and SMS-based MFA. The attacker acts as a middleman, relaying credentials and the MFA code instantly to the legitimate service. Even worse, they can intercept session cookies or tokens (like PRT in Entra ID), allowing session persistence that bypasses subsequent MFA checks.

We've been pushing hard on FIDO2/WebAuthn hardware keys as the only true mitigation, but adoption is slow. In the meantime, we're relying heavily on Conditional Access policies.

Here is a snippet of a KQL query we use to hunt for suspicious sign-in patterns often associated with AiTM (like device ID changes with the same user):

SigninLogs
| where ResultType == 0
| project Timestamp, UserPrincipalName, AppDisplayName, DeviceDetail, Location, MFARequired
| summarize count() by bin(Timestamp, 1h), UserPrincipalName, DeviceDetail.deviceId
| where count_ > 10 // Threshold for rapid logins
| order by Timestamp desc

How is everyone else handling this? Are you enforcing phishing-resistant MFA for admins, or do you rely on "Impossible Travel" and device compliance alerts?