CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

VoidProxy phishing service targets Microsoft 365, Google accounts

First reported
Last updated
3 unique sources, 4 articles

Summary

Hide ▲

A new phishing-as-a-service (PhaaS) platform, VoidProxy, targets Microsoft 365 and Google accounts, including those protected by third-party single sign-on (SSO) providers like Okta. The platform uses adversary-in-the-middle (AitM) tactics to steal credentials, multi-factor authentication (MFA) codes, and session cookies in real time. The attack begins with emails from compromised accounts at email service providers, which include shortened links redirecting recipients to phishing sites. The phishing sites are hosted on disposable low-cost domains and protected by Cloudflare to hide their real IPs. Additionally, a new phishing automation platform named Quantum Route Redirect (QRR) is targeting Microsoft 365 users worldwide. QRR uses around 1,000 domains hosted on parked or compromised domains to steal credentials. The attacks start with malicious emails impersonating various services, redirecting users to credential harvesting pages. QRR employs a built-in filtering mechanism to distinguish between bots and human visitors, redirecting humans to phishing pages while sending bots to benign sites. QRR has been observed targeting Microsoft 365 accounts across 90 countries, with 76% of attacks directed at U.S. users. The platform offers advanced features such as a configuration panel, monitoring dashboards, intelligent traffic routing, and an analytics dashboard, making it easier for less technically minded cybercriminals to launch sophisticated phishing campaigns. QRR has been observed in the wild since August 2025 and uses a URL pattern of "/([\w\d-]+\.){2}[\w]{,3}\/quantum.php/" for its phishing campaigns. QRR can bypass Microsoft 365 email protections, including Microsoft Exchange Online Protection (EOP), secure email gateways (SEG), and integrated cloud email security (ICES) products. QRR's intelligent redirect system can differentiate between security tools and human visitors, redirecting security tools to legitimate websites and human visitors to phishing pages. QRR has been observed deceiving web application firewall products, enabling attacks to bypass multiple layers of security.

Timeline

  1. 10.11.2025 23:29 3 articles · 2d ago

    Quantum Route Redirect (QRR) targets Microsoft 365 users worldwide

    QRR has been observed in the wild since August 2025 and uses a URL pattern of "/([\w\d-]+\.){2}[\w]{,3}\/quantum.php/" for its phishing campaigns. QRR can bypass Microsoft 365 email protections, including Microsoft Exchange Online Protection (EOP), secure email gateways (SEG), and integrated cloud email security (ICES) products. QRR's intelligent redirect system can differentiate between security tools and human visitors, redirecting security tools to legitimate websites and human visitors to phishing pages. QRR has been observed deceiving web application firewall products, enabling attacks to bypass multiple layers of security.

    Show sources
    Open in new tab
  2. 14.09.2025 17:23 1 articles · 2mo ago

    VoidProxy phishing service targets Microsoft 365, Google accounts

    A new phishing-as-a-service (PhaaS) platform, VoidProxy, targets Microsoft 365 and Google accounts, including those protected by third-party SSO providers like Okta. The platform uses adversary-in-the-middle (AitM) tactics to steal credentials, multi-factor authentication (MFA) codes, and session cookies in real time. The attack begins with emails from compromised accounts at email service providers, which include shortened links redirecting recipients to phishing sites. The phishing sites are hosted on disposable low-cost domains and protected by Cloudflare to hide their real IPs.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

New CoPhish technique exploits Microsoft Copilot for OAuth phishing

A new phishing technique called 'CoPhish' leverages Microsoft Copilot Studio agents to deliver fraudulent OAuth consent requests. The technique exploits the legitimate and trusted Microsoft domains to trick users into granting permissions to malicious applications. The CoPhish technique was developed by researchers at Datadog Security Labs, who highlighted the risks associated with the flexibility of Copilot Studio. Microsoft has acknowledged the issue and plans to address it in a future update. The attack targets users, including administrators, by embedding malicious applications within Copilot Studio agents. Once activated, these agents can be distributed via email or messaging platforms, making it difficult for users to distinguish between legitimate and malicious requests. Users can protect against CoPhish attacks by limiting administrative privileges, reducing application permissions, enforcing governance policies, implementing a strong application consent policy, disabling user application creation defaults, and closely monitoring application consent via Entra ID and Copilot Studio agent creation events.

Open in new tab

AI Sidebar Spoofing Vulnerability in Atlas and Comet Browsers

Researchers from NeuralTrust have discovered a vulnerability in the OpenAI Atlas browser that allows for jailbreaking through the omnibox. This vulnerability can trick users into following malicious instructions, leading to potential data breaches and unauthorized actions. The attack works by disguising a prompt instruction as a URL, which is then treated as a trusted user intent. This can override user intent, trigger cross-domain actions, and bypass safety layers. The vulnerability affects the latest versions of the Atlas browser. Researchers demonstrated two realistic attack scenarios: a copy-link trap to phish credentials and destructive instructions to delete files. The attack requires only 'host' and 'storage' permissions, which are common for productivity tools. Users are advised to be cautious when using these browsers for sensitive activities and to restrict their use to non-sensitive tasks until further security measures are implemented. Earlier, researchers from SquareX discovered a similar vulnerability in OpenAI's Atlas and Perplexity's Comet browsers that allows for AI Sidebar Spoofing. This attack can trick users into following malicious instructions, leading to potential data breaches and unauthorized actions. The vulnerability affects the latest versions of both browsers and requires only 'host' and 'storage' permissions. Users are advised to be cautious and restrict the use of these browsers to non-sensitive activities.

Open in new tab

Phishing campaign targets LastPass and Bitwarden users to install remote access tools

A phishing campaign is targeting LastPass and Bitwarden users with fake breach alerts. The emails urge recipients to download a supposedly more secure desktop version of the password manager, which installs Syncro, an RMM tool, and ScreenConnect remote support software. The campaign began over the Columbus Day holiday weekend, exploiting reduced staffing. LastPass has confirmed it has not been hacked and is actively working to mitigate the phishing campaign. The phishing emails are well-crafted and claim to address vulnerabilities in older .exe installations, urging users to update to a more secure MSI format. The threat actors use domains like 'lastpasspulse[.]blog' and 'bitwardenbroadcast[.]blog' to send these emails. The malware installs Syncro and ScreenConnect, allowing the threat actors to remotely access the compromised endpoints, deploy further malware, and steal data. The phishing emails use the subject line 'We Have Been Hacked - Update Your LastPass Desktop App to Maintain Vault Security' and are sent from email addresses like hello@lastpasspulse[.]blog or hello@lastpassgazette[.]blog. The phishing site is hosted at lastpassdesktop[.]com or lastpassgazette[.]blog, and another URL, lastpassdesktop[.]app, has been registered by the threat actor for potential future use.

Open in new tab

Phishing-as-a-Service Platform Whisper 2FA Facilitates One Million Attacks Since July 2025

The phishing-as-a-service (PhaaS) platform Whisper 2FA has been responsible for nearly one million phishing attacks since July 2025. Whisper 2FA uses AJAX to capture credentials and multi-factor authentication (MFA) codes, effectively bypassing MFA protections. The platform has evolved rapidly, incorporating advanced obfuscation and anti-debugging techniques. Whisper 2FA targets multiple industries by mimicking popular brands such as DocuSign, Adobe, and Microsoft 365. The attacks use urgent lures like invoices or voicemail notifications to prompt users to log in and submit their details. The platform's sophistication and ease of deployment make it a significant threat in the PhaaS landscape, ranking just behind Tycoon and EvilProxy.

Open in new tab

Storm-2657 Targets University HR Employees in Payroll Hijacking Campaign

A cybercrime gang, Storm-2657, has been targeting university employees in the United States since March 2025 to hijack salary payments. The attackers have successfully compromised 11 accounts at three universities, sending phishing emails to nearly 6,000 email accounts across 25 universities. The campaign, codenamed Payroll Pirates, exploits a lack of multifactor authentication (MFA) or phishing-resistant MFA to compromise Workday accounts and other third-party HR SaaS platforms. The attackers use sophisticated social engineering tactics and adversary-in-the-middle (AITM) links to steal MFA codes, enabling them to gain access to Exchange Online accounts. Once inside, they alter salary payment configurations and redirect payments to accounts under their control. The attackers also create inbox rules to delete incoming warning notification emails from Workday and enroll their own phone numbers as MFA devices for victim accounts. The compromised email accounts are used to distribute further phishing emails, both within the organization and to other universities. The attacks have been ongoing since March 2025, with Microsoft identifying affected customers and providing mitigation guidance. The campaign has been observed targeting a range of U.S.-based organizations, particularly in the higher education sector, and any software-as-a-service (SaaS) platform storing HR or payment and bank account information.

Open in new tab