John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
“We have MFA.” Great. “We scan attachments.” Also great. Both are getting beaten right now by techniques that aren’t even bugs. They’re design limitations.
Starkiller is a phishing-as-a-service platform running Adversary-in-the-Middle attacks. It doesn’t harvest credentials like old-school phishing. Instead, it sits between you and the real login page, proxying the entire session in real time. You see the legit site. You enter your password. You complete MFA. Everything works perfectly. And the attacker captures your authenticated session token after you’ve done all the hard work for them.
Your MFA worked. Authentication succeeded. The attacker still wins.
TOTP codes, SMS, push notifications. None of them protect against this. They verify you have the second factor. They don’t verify that your session isn’t being relayed through an attacker’s server.
What actually stops it? FIDO2 and passkeys. They use cryptographic keys bound to the specific domain you’re authenticating to. An AiTM proxy can’t satisfy the domain check. The attack breaks. For privileged access and anything touching sensitive data, the upgrade path is FIDO2. Standard MFA is still better than nothing for everyday accounts. But “we have MFA” isn’t the full answer anymore.
Then there’s Zombie ZIP. CVE-2026-0866. It exploits the fact that different ZIP parsers read archive files differently. Craft a ZIP file a certain way and your security scanner sees an empty archive. Flags it clean. Passes it through. But when the OS or email client opens that same file with its own parser, the malware’s right there.
This is confirmed in the wild. BleepingComputer and SANS both validated it independently.
Contact your email security and endpoint vendors. Ask them specifically whether they’ve addressed CVE-2026-0866 in their archive parsing. If they haven’t, that’s a problem you need to know about.
Neither of these bypasses is a zero-day you can patch in the traditional sense. Starkiller isn’t exploiting a bug in your MFA platform. Zombie ZIP isn’t a remote code execution flaw in your scanner. They’re working around the controls by design.
Security controls decay. The things that provide broad protection become exactly the things worth systematically circumventing. The answer isn’t to ditch MFA or stop scanning archives. It’s to upgrade: FIDO2 for high-risk access, verified parsers for attachments, and an honest look at whether the specific implementations you’re running still hold up.