Find notable cyber news and cases, enriched with sources, timelines, and signals.

VoidProxy PhaaS AitM platform targeting Microsoft 365, Google, and SSO accounts

Threat Actor Meta
First reported
Last updated
Happening score
H score 30
1 unique sources, 1 articles

Summary

Hide ▲

VoidProxy is a newly disclosed phishing-as-a-service (PhaaS) platform that can steal Microsoft 365, Google, and SSO credentials at scale, raising account-takeover risk across cloud identity systems. It uses adversary-in-the-middle (AitM) interception to capture passwords, MFA codes, and session cookies in real time. The service also blends compromised-email delivery, redirect chains, disposable domains, and cloud-hosted filtering to make the phishing flow harder to detect and block.

Related Happenings

ATHR productized automated vishing platform for credential theft

Threat Actor Meta
H score39 First: 16.04.2026 17:09 Last: 16.04.2026 17:09 Sources 1

About this happening: ATHR is turning **automated vishing** into a **productized underground service**, lowering the barrier for credential theft across **Google**, **Microsoft**, **Coinbase**, and oth...

W3LL Microsoft 365 adversary-in-the-middle phishing campaign

Campaign
H score39 First: 13.04.2026 21:55 Last: 13.04.2026 21:55 Sources 1

About this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...

UNC6783 BPO compromise campaign targeting downstream companies

Campaign
H score65 First: 09.04.2026 00:46 Last: 09.04.2026 00:46 Sources 1

About this happening: **UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...

OAuth device-code phishing campaign targeting SaaS accounts

Campaign
H score43 First: 04.04.2026 17:17 Last: 04.04.2026 17:17 Sources 1

About this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...

EvilTokens phishing-as-a-service operation expands device code phishing and BEC

Threat Actor Meta
H score44 First: 01.04.2026 22:42 Last: 01.04.2026 22:42 Sources 1

About this happening: **EvilTokens** is part of a broader **phishing-as-a-service** ecosystem that packages **Microsoft 365 device-code phishing** for criminal operators. **Cisco Talos** described **AR...

Timeline

  1. 14.09.2025 17:23 2 articles · 9mo ago

    VoidProxy phishing service targets Microsoft 365, Google, and Okta SSO accounts

    Initial Disclosure

    Okta Threat Intelligence identified VoidProxy as a phishing-as-a-service platform that targets Microsoft 365, Google, and Okta SSO users with adversary-in-the-middle phishing to steal credentials, MFA codes, and session cookies in real time. The service uses compromised email accounts, shortened links, multiple redirections, disposable low-cost domains, Cloudflare CAPTCHA filtering, Cloudflare Worker traffic handling, and proxying to legitimate Microsoft, Google, and Okta servers; users with phishing-resistant authentication such as Okta FastPass were protected and received warnings about account attacks.

    Show sources