In recent months, security teams have observed a significant increase in sophisticated phishing campaigns leveraging a newly discovered Phishing-as-a-Service (PhaaS) platform dubbed VoidProxy.
The operation, first detected in August 2025, combines multiple anti-analysis techniques and adversary-in-the-middle (AitM) capabilities to target Microsoft 365 and Google accounts with unprecedented stealth.
Early email lures originate from compromised legitimate Email Service Provider (ESP) accounts to evade spam filters and include multiple redirects through URL shortening services.
.webp "New VoidProxy PhaaS Service Attacking Microsoft 365 and Google Accounts 3")
This illustrates the redirect chain from a TinyURL link to the first-stage phishing domain.
Okta analysts identified the initial infrastructure through alerts raised by FastPass enrollment anomalies; users protected by phishing-resistant authenticators were warned of abnormal sign-in attempts.
The VoidProxy framework leverages disposable low-reputation domains (.icu, .xyz, .top) hosted behind Cloudflare to mask the real server IP and frustrate takedown efforts.
Before loading any page, victims must pass a Cloudflare CAPTCHA challenge to confirm human interaction (Figure 2). Automated scanners or security tools receive a generic welcome page, effectively neutralizing most analysis platforms.
Once the victim passes the challenge, the browser communicates with a Cloudflare Worker service responsible for filtering traffic and loading the appropriate phishing portal.
These portals meticulously mimic legitimate login pages for both Microsoft and Google, including support for federated single sign-on (SSO) via Okta.
Non-federated users are proxied directly to Microsoft or Google servers, while federated users encounter second-stage pages that impersonate the SP-initiated SSO flow of Okta, enabling attackers to harvest MFA codes and session tokens.
The sophistication of VoidProxy’s AitM engine lies in its ability to intercept session cookies and session tokens in real time.
When the legitimate service returns a session cookie, the proxy exfiltrates a copy to the attacker’s admin panel, granting immediate access to the compromised account.
The backend infrastructure utilizes dynamic DNS wildcard services (sslip.io, nip.io) to host ephemeral AitM proxy engines and customer-facing admin panels.
.webp "New VoidProxy PhaaS Service Attacking Microsoft 365 and Google Accounts 4")
While the VoidProxy admin panel dashboard shows that the threat actors can configure campaigns, monitor victims, and collect stolen credentials.
Infection Mechanism and Evasion
VoidProxy’s infection chain begins with well-crafted phishing emails that abuse ESP reputation.
The multi-tier redirect chain not only evades URL-based detection but also ensures that each disposable domain is used briefly before being abandoned.
The Cloudflare Worker gatekeeper segregates legitimate targets from analysis tools, while CAPTCHA challenges further frustrate automated analysis.
Behind the scenes, the AitM proxy server integrates robust session hijacking: after validating credentials against Microsoft, Google, or Okta, it relays the session cookie to attackers while maintaining an active connection for the user.
A sample proxy snippet below demonstrates how the engine captures and logs session tokens:-
fetch(targetUrl, {
method: 'POST',
headers: request.headers,
body: request.body
}).then(response => {
const sessionCookie = response.headers.get('set-cookie');
logStolenCookie(sessionCookie);
return response;
});This seamless relay ensures that victims remain unaware of the compromise, allowing attackers to perform BEC, data exfiltration, and lateral movement within enterprise environments.
Understanding VoidProxy’s mechanisms is critical for defenders seeking to implement targeted detection rules and enforce stronger phishing-resistant authentication.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
