VoidProxy: A New Phishing Service Targeting Microsoft 365 and Google Workspace

• 16/09/2025

A new phishing-as-a-service (PhaaS) platform called VoidProxy has recently been uncovered by the Okta Threat Intelligence team, posing a serious threat to Microsoft 365 and Google Workspace users.

Unlike traditional phishing campaigns that primarily focus on stealing passwords, VoidProxy is designed with far more sophistication. It collects login credentials, multi-factor authentication (MFA) codes, and session cookies in real time. This enables attackers to gain immediate access, effectively bypassing standard security layers.

How VoidProxy Operates?

According to Okta, VoidProxy is a large-scale, hard-to-detect, and professionally managed platform. The phishing campaign typically begins with emails sent from already-compromised accounts on legitimate services such as Constant Contact, Active Campaign, and NotifyVisitors.

These emails contain shortened links, which are redirected through multiple layers to evade spam filters before eventually leading victims to phishing sites hosted on low-cost domains such as *.icu, *.sbs, *.cfd, *.xyz, *.top, and *.home. The entire infrastructure is shielded by Cloudflare, which both masks the true IP addresses and lends additional credibility to the campaign.

When users click on these links, they encounter a Cloudflare CAPTCHA step, which creates a sense of legitimacy and filters out most automated bots. Behind the scenes, VoidProxy leverages Cloudflare Workers to analyze traffic, only allowing targeted users to access the phishing site, while redirecting all others to a harmless welcome page. This strategy makes detection far more difficult and increases the success rate of the campaign.

A Sophisticated Phishing Page

For qualified targets, VoidProxy presents a near-perfect replica of a Microsoft or Google login page. When users enter their credentials, the data is routed through VoidProxy’s servers before being forwarded to the legitimate servers. This allows attackers to capture usernames, passwords, and MFA codes in real time.

In organizations that use Single Sign-On (SSO) via Okta, victims are redirected to a page mimicking Microsoft 365 or Google authentication flows integrated with Okta. VoidProxy continues to proxy the entire traffic, recording every authentication detail entered.

The most dangerous aspect lies in its ability to hijack access without requiring re-entry of passwords or MFA codes. Once the legitimate service issues a session cookie, VoidProxy instantly copies it and uploads it to the attacker’s admin dashboard. This grants direct account access to attackers, meaning that even users protected with MFA can still fall victim to adversary-in-the-middle (AitM) attacks.

Protecting Against VoidProxy

According to Okta, users who implement Okta FastPass – a phishing-resistant authentication mechanism – will be protected and notified when targeted. Cybersecurity experts also stress that organizations should restrict access to sensitive applications exclusively from managed devices. Additionally, applying risk-based access controls and binding login sessions to specific IP addresses, particularly for administrative applications, are essential practices. Administrators should also be required to re-authenticate before performing critical actions, reducing the risk of exploitation.

VoidProxy – The Next Step in Phishing-as-a-Service

The emergence of VoidProxy highlights how phishing-as-a-service is rapidly evolving: becoming more sophisticated, automated, and difficult to detect. Its exploitation of legitimate infrastructure like Cloudflare enables phishing campaigns to conceal themselves more effectively.

To address this growing threat, organizations must prioritize upgrading authentication systems, strengthening monitoring capabilities, and conducting employee training programs to improve phishing awareness. Such proactive measures are vital in minimizing the risk of falling victim to future AitM attacks.