Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

VoidProxy PhaaS AitM platform targeting Microsoft 365, Google, and SSO accounts

Threat Actor Meta
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

VoidProxy is a newly disclosed phishing-as-a-service (PhaaS) platform that can steal Microsoft 365, Google, and SSO credentials at scale, raising account-takeover risk across cloud identity systems. It uses adversary-in-the-middle (AitM) interception to capture passwords, MFA codes, and session cookies in real time. The service also blends compromised-email delivery, redirect chains, disposable domains, and cloud-hosted filtering to make the phishing flow harder to detect and block.

Related Happenings

ATHR productized automated vishing platform for credential theft

Threat Actor Meta
First: 16.04.2026 17:09 Last: 16.04.2026 17:09 Sources 1

About this happening: ATHR is turning **automated vishing** into a **productized underground service**, lowering the barrier for credential theft across **Google**, **Microsoft**, **Coinbase**, and oth...

Open Happening

W3LL Microsoft 365 adversary-in-the-middle phishing campaign

Campaign
First: 13.04.2026 21:55 Last: 13.04.2026 21:55 Sources 1

About this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...

Open Happening

UNC6783 BPO compromise campaign targeting downstream companies

Campaign
First: 09.04.2026 00:46 Last: 09.04.2026 00:46 Sources 1

About this happening: **UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...

Open Happening

OAuth device-code phishing campaign targeting SaaS accounts

Campaign
First: 04.04.2026 17:17 Last: 04.04.2026 17:17 Sources 1

About this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...

Open Happening

EvilTokens phishing-as-a-service operation expands device code phishing and BEC

Threat Actor Meta
First: 01.04.2026 22:42 Last: 01.04.2026 22:42 Sources 1

About this happening: **EvilTokens** has been commercialized on **Telegram** as a continuously developed phishing-as-a-service kit, expanding **device code phishing** and **BEC** capabilities at scale....

Open Happening

Timeline

  1. 14.09.2025 17:23 2 articles · 8mo ago

    VoidProxy phishing service targets Microsoft 365, Google, and Okta SSO accounts

    Initial Disclosure

    Okta Threat Intelligence identified VoidProxy as a phishing-as-a-service platform that targets Microsoft 365, Google, and Okta SSO users with adversary-in-the-middle phishing to steal credentials, MFA codes, and session cookies in real time. The service uses compromised email accounts, shortened links, multiple redirections, disposable low-cost domains, Cloudflare CAPTCHA filtering, Cloudflare Worker traffic handling, and proxying to legitimate Microsoft, Google, and Okta servers; users with phishing-resistant authentication such as Okta FastPass were protected and received warnings about account attacks.

    Show sources
    Open in new tab