VoidProxy Microsoft 365 and Google phishing campaign
Campaign
Summary
Hide ▲
Show ▼
The VoidProxy phishing campaign is using AitM login pages to steal credentials, MFA codes, and session cookies from Microsoft 365, Google, and federated SSO users. It starts with compromised email accounts and shortened links that push victims through multiple redirections to phishing sites. The infrastructure relies on disposable .icu, .sbs, .cfd, .xyz, .top, and .home domains protected by Cloudflare to obscure the source. Users with phishing-resistant authentication such as Okta FastPass are specifically identified as better protected against the flow.
Related Happenings
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
Campaign
First: 13.04.2026 21:55
Last: 13.04.2026 21:55
Sources 1
About this happening:
The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
CampaignAbout this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
UNC6783 BPO compromise campaign targeting downstream companies
Campaign
First: 09.04.2026 00:46
Last: 09.04.2026 00:46
Sources 1
About this happening:
**UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...
UNC6783 BPO compromise campaign targeting downstream companies
CampaignAbout this happening: **UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...
OAuth device-code phishing campaign targeting SaaS accounts
Campaign
First: 04.04.2026 17:17
Last: 04.04.2026 17:17
Sources 1
About this happening:
A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
OAuth device-code phishing campaign targeting SaaS accounts
CampaignAbout this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
TikTok for Business phishing campaign using Turnstile and reverse proxy
Campaign
First: 26.03.2026 16:09
Last: 26.03.2026 16:09
Sources 1
About this happening:
A **phishing campaign** is targeting **TikTok for Business accounts** and uses **Cloudflare Turnstile** to block automated analysis before exposing a **reverse-proxy** credential-...
TikTok for Business phishing campaign using Turnstile and reverse proxy
CampaignAbout this happening: A **phishing campaign** is targeting **TikTok for Business accounts** and uses **Cloudflare Turnstile** to block automated analysis before exposing a **reverse-proxy** credential-...
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor Meta
First: 05.03.2026 08:51
Last: 05.03.2026 08:51
Sources 1
About this happening:
**Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Latest development: 17.05.2026 17:43
eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.
Timeline
-
14.09.2025 17:23 2 articles · 8mo ago
VoidProxy targets Microsoft 365, Google, and Okta SSO accounts with AitM phishing
Initial DisclosureOkta Threat Intelligence researchers discovered VoidProxy, a phishing-as-a-service (PhaaS) platform targeting Microsoft 365, Google accounts, and federated SSO users such as Okta. The service uses adversary-in-the-middle (AitM) tactics to relay victim logins to legitimate Microsoft, Google, and Okta servers while capturing credentials, MFA codes, and session cookies, and its delivery chain uses compromised email accounts, shortened links, multiple redirections, disposable .icu, .sbs, .cfd, .xyz, .top, and .home domains, a Cloudflare CAPTCHA challenge, and a Cloudflare Worker environment. Okta said users enrolled in phishing-resistant authentication such as Okta FastPass were protected and received warnings that their account was under attack.
Show sources
- New VoidProxy phishing service targets Microsoft 365, Google accounts — www.bleepingcomputer.com — 14.09.2025 17:23
- New VoidProxy phishing service targets Microsoft 365, Google accounts — www.bleepingcomputer.com — 14.09.2025 17:23