Okta Threat Intelligence exposes VoidProxy, a new PhaaS platform. Learn how this advanced service uses the Adversary-in-the-Middle technique to bypass MFA and how to protect yourself from attacks targeting Microsoft and Google accounts
A new online fraud service, named VoidProxy, has been exposed by cybersecurity researchers at Okta Threat Intelligence. In a detailed report, dated September 11, 2025, and shared with Hackread.com, the team revealed that VoidProxy is a Phishing-as-a-Service (PhaaS), a platform that provides all the tools needed to launch cyberattacks.
The platform allows attackers to bypass common multi-factor authentication (MFA) method, a security system that requires a code in addition to a password to prove your identity. The service uses a technique called Adversary-in-the-Middle (AitM) to intercept passwords, MFA codes, and other information in real-time.
Understanding the Attack
Okta’s investigation revealed that an attack typically begins with a deceptive email sent from a compromised account of legitimate ESPs (Email Service Providers), e.g. Constant Contact, Active Campaign or NotifyVisitors, which helps it slip past spam filters. When a user clicks the link, they are taken to a website that is a perfect copy of a legitimate login page for services like Microsoft or Google.
Once the victim enters their login details and MFA codes, the VoidProxy system intercepts them. The platform then takes over the user’s session, stealing a crucial session cookie. It is worth noting that this cookie is what allows you to stay logged into an account. Once the attackers have a copy, they can bypass all security checks to access the account as if they were the legitimate user.
Behind the Scenes of the Operation
Researchers found that VoidProxy is built on a clever two-part infrastructure designed to evade detection. It uses a disposable front-end and a resilient back-end, allowing criminals to quickly abandon parts that are discovered while their main system keeps running.
The platform also uses multiple layers of anti-analysis features, including compromised email accounts, redirects, and security checks like Cloudflare CAPTCHA, to make it difficult for security teams to track, which has kept it hidden so far. This advanced setup, with its admin panel allowing criminals to receive stolen information in real-time, often via Telegram or other online services, shows just how automated the operation is.
The platform was ultimately discovered when it failed to compromise a user protected by Okta’s phishing-resistant authenticator, Okta FastPass, which provided researchers with a key to unravelling the entire scheme.
“The best way to protect your users against threats like VoidProxy is to enrol in phishing-resistant authenticators,” advised Brett Winterford, Okta’s VP of Threat Intelligence. He explained that these special authenticators make it impossible for attackers to steal credentials, serving as the most effective defence against such advanced threats.
