VoidProxy: Sophisticated Phishing-as-a-Service Targeting Microsoft 365 and Google

VoidProxy: Sophisticated Phishing-as-a-Service Targeting Microsoft 365 and Google

Researchers at Okta Threat Intelligence have uncovered a phishing-as-a-service (PhaaS) platform named VoidProxy, designed to steal sensitive account information at scale.

🔍 How VoidProxy works

• Entry point: Emails sent from compromised accounts at providers like Constant Contact and Active Campaign, using shortened links and redirections.
• Hosting: Disposable low-cost domains (.icu, .sbs, .cfd, .xyz, .top, .home) shielded by Cloudflare.
• Legitimacy trick: Visitors see a Cloudflare CAPTCHA before being served phishing pages.
• Attack chain:
  • Displays fake Microsoft 365 or Google login pages
  • Captures credentials, MFA codes, and session cookies
  • Federated SSO accounts (via Okta) redirected to second-stage phishing flows
  • Attackers receive captured cookies in their VoidProxy admin panel

📌 Why it matters
This approach allows attackers to bypass MFA protections, providing them full account access.

✅ Who’s protected?

• Users with phishing-resistant authentication (e.g., Okta FastPass)
• Those enforcing risk-based access controls and IP session binding

🔐 Researcher recommendations:

• Restrict sensitive apps to managed devices only
• Enforce re-authentication for admin actions
• Apply risk-based access policies

⚠️ Conclusion
VoidProxy highlights the growing sophistication of phishing-as-a-service ecosystems, lowering the barrier for attackers while raising the stakes for enterprises.

At Alcaeus Services, we help organizations deploy strong authentication, risk-based access controls, and proactive phishing defenses to counter AitM and PhaaS threats.