Security researchers at Okta Threat Intelligence have discovered a new cybercrime service that is enabling attackers to bypass some of the strongest security defenses in use today.
The researchers have identified VoidProxy, a new phishing-as-a-service (PhaaS) platform that helps attackers steal login credentials from Microsoft and Google accounts โ even those protected by common multi-factor authentication (MFA).
โVoidProxy represents a mature, scalable and evasive threat to traditional email security and authentication controls,โ the researchers wrote in a detailedย reportย on their findings.
How VoidProxy Works
Unlike traditional phishing kits, VoidProxy uses a technique called Adversary-in-the-Middle (AitM), where attackers secretly intercept authentication flows in real time. This allows them to intercept login sessions in real time, capturing usernames, passwords, MFA codes, and even sessions that keep users logged in.
With these stolen session cookies, criminals can gain full access to victimsโ accounts, bypassing several common MFA methods, such as SMS codes and one-time passwords (OTP) from authenticator apps.
Stealthy Delivery Tactics
Okta researchers discovered VoidProxy after noticing unusual activity blocked by their phishing-resistant FastPass authenticator. Upon closer inspection, they uncovered a sprawling infrastructure that had, until now, evaded detection through multiple anti-analysis tricks. These include using compromised email accounts to send lures, deploying endless redirects to confuse scanners, hiding behind Cloudflare services, and leveraging disposable low-cost domains like .icu, .xyz, and .top.
The phishing campaigns typically begin with emails sent from hijacked accounts at legitimate email service providers. Victims who click on the embedded links are funnelled through a series of redirections and CAPTCHA challenges before landing on a fake Microsoft or Google login page that looks almost identical to the real thing.
Targeting Single Sign-On (SSO) Users
For organizations that use single sign-on (SSO) services like Okta, VoidProxy goes even further. It generates convincing second-stage login pages that replicate SSO flows, tricking employees into disclosing even more sensitive data.
Once credentials are entered, VoidProxyโs proxy servers relay traffic between the victim and the legitimate service, silently siphoning off login details and cookies. These stolen details are instantly funnelled into VoidProxyโs admin panel, where attackers can monitor activity, download stolen data, and even receive alerts through Telegram.
Why Itโs Dangerous
By offering an easy-to-use dashboard and ready infrastructure, VoidProxy lowers the bar for cybercrime. Cybercriminals of all skill levels can launch sophisticated phishing campaigns that lead to business email compromise (BEC), financial fraud, data exfiltration, and lateral movement within victim networks.
The Good News: What Still Works
Oktaโs research highlights that despite VoidProxyโs sophistication, it has a key weakness: phishing-resistant authentication. The researchers confirmed that users protected by phishing-resistant authentication methods โ such as Okta FastPass and passkeys โ could not be tricked into handing over credentials, and instead received warnings that their account was under attack.
Expert Recommendations
To defend against threats like VoidProxy, Okta recommends:
- Enforcing phishing-resistant authentication such as Okta FastPass, FIDO2 WebAuthn (passkeys and security keys), and smart cards.
- Restricting access to sensitive applications on managed devices only.
- Using behavioral analytics and risk-based access controls.
- Training employees to spot suspicious emails and phishing tactics.
- Using identity threat protection to react in real time to suspicious login attempts or infrastructure.
While VoidProxy shows how far phishing tactics have evolved, implementing stronger login protections, smarter policies, and a watchful workforce can significantly reduce an organization’s exposure to modern phishing threats.
