In recent months, security teams have observed a significant increase in sophisticated phishing campaigns leveraging a newly discovered Phishing-as-a-Service (PhaaS) platform dubbed VoidProxy.<\/p>\n
The operation, first detected in August 2025, combines multiple anti-analysis techniques and adversary-in-the-middle (AitM) capabilities to target Microsoft 365 and Google accounts with unprecedented stealth.<\/p>\n
Early email lures originate from compromised legitimate Email Service Provider (ESP) accounts to evade spam filters and include multiple redirects through URL shortening services.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjLDbn7VZj316AZSVGrC3GcMfoWsGGPVKyWrqUISAXX4N5FgYF7DNT4aFqftUQil4rIlPgkiaVxwNwjGPg75ENjPE4JQ33NGLfP0jkBEXqNSW2kQzgfUwwVNsW9nsMPsglO3ZZVICxpatsAjPcCGN_LTNTD1RFd08rjyBY471M_aiKjiIiOno1PP6WXxvs\/s16000\/URLscan%2520data%2520%28Source%2520-%2520Okta%29.webp?ssl=1\")
This illustrates the redirect chain from a TinyURL link to the first-stage phishing domain.<\/p>\n
Okta analysts identified<\/a> the initial infrastructure through alerts raised by FastPass enrollment anomalies; users protected by phishing-resistant authenticators were warned of abnormal sign-in attempts.<\/p>\n The VoidProxy framework leverages disposable low-reputation domains (.icu, .xyz, .top) hosted behind Cloudflare to mask the real server IP and frustrate takedown efforts.<\/p>\n Before loading any page, victims must pass a Cloudflare CAPTCHA<\/a> challenge to confirm human interaction (Figure 2). Automated scanners or security tools receive a generic welcome page, effectively neutralizing most analysis platforms.<\/p>\n Once the victim passes the challenge, the browser communicates with a Cloudflare Worker service responsible for filtering traffic and loading the appropriate phishing portal.<\/p>\n These portals meticulously mimic legitimate login pages for both Microsoft and Google, including support for federated single sign-on (SSO) via Okta.<\/p>\n Non-federated users are proxied directly to Microsoft or Google servers, while federated users encounter second-stage pages that impersonate the SP-initiated SSO flow of Okta, enabling attackers to harvest MFA codes and session tokens.<\/p>\n The sophistication of VoidProxy\u2019s AitM engine lies in its ability to intercept session cookies and session tokens in real time.<\/p>\n When the legitimate service returns a session cookie, the proxy exfiltrates a copy to the attacker\u2019s admin panel, granting immediate access to the compromised account.<\/p>\n The backend infrastructure utilizes dynamic DNS wildcard services (sslip.io, nip.io) to host ephemeral AitM proxy engines and customer-facing admin panels.<\/p>\n While the VoidProxy admin panel dashboard shows that the threat actors can configure campaigns<\/a>, monitor victims, and collect stolen credentials.<\/p>\n VoidProxy\u2019s infection chain begins with well-crafted phishing emails that abuse ESP reputation.<\/p>\n The multi-tier redirect chain not only evades URL-based detection but also ensures that each disposable domain is used briefly before being abandoned.<\/p>\n The Cloudflare<\/a> Worker gatekeeper segregates legitimate targets from analysis tools, while CAPTCHA challenges further frustrate automated analysis.<\/p>\n Behind the scenes, the AitM proxy server integrates robust session hijacking: after validating credentials against Microsoft, Google, or Okta, it relays the session cookie to attackers while maintaining an active connection for the user.<\/p>\n A sample proxy snippet below demonstrates how the engine captures and logs session tokens:-<\/p>\n This seamless relay ensures that victims remain unaware of the compromise, allowing attackers to perform BEC, data exfiltration<\/a>, and lateral movement within enterprise environments.<\/p>\n Understanding VoidProxy\u2019s mechanisms is critical for defenders seeking to implement targeted detection rules and enforce stronger phishing-resistant authentication.<\/p>\n The post New VoidProxy PhaaS Service Attacking Microsoft 365 and Google Accounts<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj6EwZcGJJEKqlCEYjwtsWoavOxFK3KI2KlhTMgQuGUd_3a_FP7UHtzWLjZD07oMm2TB1J9FqQGbLsqJERKr5sc5npNXbpRmJTzoTAtPgLNZQ5oVwzkWnqS35VRsE8y35jqJo9PgLHW7mgodfnMqDf38H9W-pkaii9Dacd5lTRL6psClKoXgXvrB9hfIy8\/s16000\/VoidProxy%2520admin%2520login%2520page%2520%28Source%2520-%2520Okta%29.webp?ssl=1\")
Infection Mechanism and Evasion<\/strong><\/h2>\n
fetch(targetUrl, {\n method: 'POST',\n headers: request.headers,\n body: request.body\n}).then(response => {\n const sessionCookie = response.headers.get('set-cookie');\n logStolenCookie(sessionCookie);\n return response;\n});<\/code><\/pre>\nBoost\u00a0your\u00a0SOC and help your team protect your business with free top-notch threat intelligence:\u00a0Request TI Lookup Premium Trial<\/a>.<\/code><\/strong><\/p>\n