Phishing-as-a-Service operation called VoidProxy that uses advanced adversary-in-the-middle techniques to bypass traditional multi-factor authentication and steal session tokens from Microsoft 365 and Google accounts.
The five steps of a SIM-swap attack illustrating how fraudsters bypass multi-factor authentication to compromise accounts
Okta has uncovered a sophisticated new emergence of VoidProxy, a highly evasive Phishing-as-a-Service platform that represents a major evolution in credential harvesting attacks.
This previously unreported service demonstrates the growing sophistication of cybercriminal operations and their ability to bypass modern security controls that organizations rely on to protect their digital assets.
VoidProxy operates as a mature, scalable platform that significantly lowers the technical barriers for threat actors to execute sophisticated phishing campaigns against enterprise accounts.
The service employs adversary-in-the-middle techniques to intercept authentication flows in real-time, capturing not only usernames and passwords but also multi-factor authentication codes and session tokens established during legitimate sign-in processes.
Diagram illustrating an MFA bypass phishing attack flow involving a target, phishing server, legitimate service, and threat actor
This capability allows VoidProxy to bypass several common MFA methods, including SMS codes and one-time passwords from authenticator applications.
The platform’s sophisticated approach poses a direct challenge to traditional email security and authentication controls that many organizations consider reliable defense mechanisms against credential theft.
The service targets both Microsoft 365 and Google accounts, with additional capabilities to redirect accounts protected by third-party single sign-on providers like Okta to secondary phishing pages.
This comprehensive targeting approach makes VoidProxy particularly dangerous for organizations using federated authentication systems.
Multi-Layered Evasion Techniques
VoidProxy has successfully evaded security analysis through multiple sophisticated anti-detection measures.
The platform employs compromised email accounts from legitimate Email Service Providers such as Constant Contact, Active Campaign, and NotifyVisitors to deliver initial phishing lures, leveraging these services’ reputation to bypass spam filters.
CyberX cybersecurity admin dashboard showing threat monitoring, asset management, and protection status
The attack infrastructure utilizes multiple redirect layers beginning with URL shortening services like TinyURL, followed by redirection to first-stage landing sites hosted on low-cost, disposable domains using extensions such as .icu, .sbs, .cfd, .xyz, .top, and .home.
This strategy minimizes operational costs while allowing attackers to quickly abandon domains once they are identified and blocklisted.
A critical component of VoidProxy’s evasion strategy involves placing phishing sites behind Cloudflare infrastructure, effectively hiding the real IP addresses of malicious servers and making takedown efforts significantly more challenging for security teams.
Before loading any phishing content, users encounter Cloudflare CAPTCHA challenges designed to filter automated security scanners from legitimate targets.
Sophisticated Attack Flow
The VoidProxy platform follows a carefully orchestrated four-stage attack process. Initial delivery occurs through compromised legitimate email services, followed by evasion mechanisms including CAPTCHA challenges and Cloudflare Workers that act as gatekeepers and lure loaders.
The system presents perfect replicas of legitimate login portals, with consistent domain patterns for Microsoft phishing pages using “login.[phishing_domain].[tld]” and Google phishing pages using “accounts.[phishing_domain].[tld]”.
After victims enter their primary credentials, the system differentiates between federated and non-federated users.
Non-federated users are redirected directly to legitimate Microsoft and Google servers through proxy infrastructure, while federated users encounter additional second-stage landing pages that impersonate service provider-initiated flows with their SSO providers.
The core proxy server, hosted on ephemeral infrastructure, executes the actual adversary-in-the-middle attack by acting as a reverse proxy to capture and relay authentication information to legitimate services.
When legitimate services validate authentication and issue session cookies, VoidProxy intercepts these tokens, making them available to attackers through administrative panels for immediate account access.
VoidProxy offers a full-featured administrative interface that demonstrates the platform’s commercial sophistication.
The admin panel provides PhaaS customers with comprehensive campaign management capabilities, including account-level dashboards, settings pages, campaign management interfaces, and individual campaign monitoring dashboards.
Example of a Microsoft 365 phishing page requesting email verification to steal user credentials
The platform supports multiple data extraction methods, allowing stolen credentials and session tokens to be accessed through manual downloads or real-time notifications via Telegram Bot tokens and webhook URLs.
This flexibility enables threat actors to integrate VoidProxy operations with their existing criminal infrastructure and respond quickly to successful compromises.
Recommendations
Organizations can protect against VoidProxy attacks through several key defensive measures. The most effective protection involves enrolling users in phishing-resistant authenticators such as Okta FastPass, FIDO2 WebAuthn (passkeys and security keys), and smart cards, with policies that enforce phishing-resistance requirements.
Access restrictions should be implemented for sensitive applications, limiting access to devices managed by endpoint management tools and protected by endpoint security solutions.
Organizations should also deny or require higher assurance for requests from rarely-used networks and identify access requests that deviate from established user activity patterns.
User education remains critical, with training focused on identifying suspicious emails, phishing sites, and common social engineering techniques.
Organizations should implement automated remediation flows that respond in real-time to user interactions with suspicious infrastructure, while applying IP session binding to administrative applications to prevent replay of stolen administrative sessions.
The emergence of VoidProxy represents a significant escalation in the sophistication of phishing-as-a-service operations, demonstrating how cybercriminals continue to adapt their tactics to bypass modern security controls.
Organizations must adopt comprehensive, layered defense strategies that combine technical controls with user education to effectively counter these evolving threats.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
