Ethical Hacking News
A new phishing-as-a-service platform called VoidProxy has been discovered that targets Microsoft 365 and Google accounts using adversary-in-the-middle tactics. The service uses disposable domains protected by Cloudflare, and its proxy server captures user credentials in transit. This attack highlights the importance of staying vigilant against phishing threats and taking proactive measures to protect sensitive information.
VoidProxy is a phishing-as-a-service (PhaaS) platform that targets Microsoft 365 and Google accounts using adversary-in-the-middle (AitM) tactics. The attack begins with emails from compromised accounts, which include shortened links that send recipients to phishing sites after multiple redirections. Malicious sites are hosted on disposable low-cost domains protected by Cloudflare to hide their real IPs. Requests are proxied through VoidProxy's AitM to Google or Microsoft servers, capturing usernames, passwords, and MFA codes in transit. Attackers can steal sensitive information without being detected by traditional security systems due to the use of a proxy server. Users enrolled in phishing-resistant authentications like Okta FastPass are protected from VoidProxy's attack flow and receive warnings about their account being under attack.
VoidProxy, a newly discovered phishing-as-a-service (PhaaS) platform, has been making waves in the cybersecurity world by targeting unsuspecting users of Microsoft 365 and Google accounts. This malicious service uses adversary-in-the-middle (AitM) tactics to steal credentials, multi-factor authentication (MFA) codes, and session cookies in real-time.
According to Okta Threat Intelligence researchers, VoidProxy is a scalable, evasive, and sophisticated platform that has been discovered by the company's experts. The attack begins with emails from compromised accounts at email service providers like Constant Contact, Active Campaign, and NotifyVisitors, which include shortened links that send recipients to phishing sites after multiple redirections.
The malicious sites are hosted on disposable low-cost domains such as .icu, .sbs, .cfd, .xyz, .top, and .home, all of which are protected by Cloudflare to hide their real IPs. Visitors are first served a Cloudflare CAPTCHA challenge to filter out bots and increase the sense of legitimacy. A Cloudflare Worker environment is used to filter traffic and load pages.
Selected targets receive a page that mimics a Microsoft or Google login, while the rest are funneled to a generic and “Welcome” page that presents no threat. If credentials are typed into the phishing form, requests are proxied through VoidProxy's AitM to Google or Microsoft servers. The service’s proxy server relays traffic between the victim and the legitimate service while capturing usernames, passwords, and MFA codes in transit.
When the legitimate service issues a session cookie, VoidProxy intercepts it and creates a copy that is made available to the attackers right on the platform's admin panel. This allows the attackers to steal sensitive information without being detected by traditional security systems.
Okta noted that users who had enrolled in phishing-resistant authentications like Okta FastPass were protected from VoidProxy's attack flow and received warnings about their account being under attack. The researchers provided recommendations, including restricting access of sensitive apps only to managed devices, enforcing risk-based access controls, using IP session binding for administrative apps, and forcing re-authentication for admins attempting sensitive actions.
The discovery of VoidProxy highlights the ever-evolving nature of phishing attacks and the importance of staying vigilant against these types of threats. As cybersecurity threats continue to evolve, it is essential for individuals and organizations to remain proactive in protecting their sensitive information.
In light of this recent attack, we must take a closer look at how our security measures can be improved to prevent such incidents from happening in the future. The attack has shown us that even with the most advanced security systems, phishing attacks can still succeed if not properly addressed. Therefore, it is crucial for all parties involved – individuals, organizations, and cybersecurity professionals alike – to remain vigilant and take proactive steps to protect themselves against these types of threats.
Related Information:
https://www.ethicalhackingnews.com/articles/New-VoidProxy-Phishing-Service-Exploits-Microsoft-365-Google-Accounts-for-Malicious-Gain-ehn.shtml
https://www.bleepingcomputer.com/news/security/new-voidproxy-phishing-service-targets-microsoft-365-google-accounts/
https://www.forbes.com/sites/daveywinder/2025/03/15/new-microsoft-365-attack-bypasses-email-security-controls/
Published: Sun Sep 14 16:28:56 2025 by llama3.2 3B Q4_K_M
