CyberHappenings logo
🏠 Home 📂 Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

VoidProxy phishing service targets Microsoft 365 and Google accounts

First reported
Last updated
📰 1 unique sources, 1 articles

Summary

Hide ▲

A new phishing-as-a-service (PhaaS) platform, VoidProxy, targets Microsoft 365 and Google accounts, including those protected by third-party single sign-on (SSO) providers such as Okta. The platform uses adversary-in-the-middle (AitM) tactics to steal credentials, multi-factor authentication (MFA) codes, and session cookies in real time. The attack begins with emails from compromised accounts at email service providers, which include shortened links redirecting recipients to phishing sites. The phishing sites are hosted on disposable low-cost domains protected by Cloudflare. The attack flow involves multiple redirections, CAPTCHA challenges, and traffic filtering to evade detection and increase legitimacy. Selected targets are served phishing pages mimicking Microsoft or Google login, while others receive a generic welcome page. Credentials entered into the phishing form are proxied through VoidProxy’s AitM to the legitimate service’s servers, capturing usernames, passwords, and MFA codes. Session cookies issued by the legitimate service are intercepted and made available to the attackers. Okta noted that users enrolled in phishing-resistant authentications like Okta FastPass were protected from VoidProxy’s attack flow and received warnings about their account being under attack.

Timeline

  1. 14.09.2025 17:23 📰 1 articles · ⏱ 1d ago

    VoidProxy phishing service targets Microsoft 365 and Google accounts

    A new phishing-as-a-service (PhaaS) platform, VoidProxy, targets Microsoft 365 and Google accounts, including those protected by third-party single sign-on (SSO) providers such as Okta. The platform uses adversary-in-the-middle (AitM) tactics to steal credentials, multi-factor authentication (MFA) codes, and session cookies in real time. The attack begins with emails from compromised accounts at email service providers, which include shortened links redirecting recipients to phishing sites. The phishing sites are hosted on disposable low-cost domains protected by Cloudflare. The attack flow involves multiple redirections, CAPTCHA challenges, and traffic filtering to evade detection and increase legitimacy. Selected targets are served phishing pages mimicking Microsoft or Google login, while others receive a generic welcome page. Credentials entered into the phishing form are proxied through VoidProxy’s AitM to the legitimate service’s servers, capturing usernames, passwords, and MFA codes. Session cookies issued by the legitimate service are intercepted and made available to the attackers. Users enrolled in phishing-resistant authentications like Okta FastPass were protected from VoidProxy’s attack flow and received warnings about their account being under attack.

    Show sources
    Open in new tab

Information Snippets