A new phishing-as-a-service (PhaaS) platform uncovered by Okta Threat Intelligence, named VoidProxy, has emerged as a highly evasive threat targeting Microsoft 365, Google accounts, and federated accounts via third-party single sign-on (SSO) providers.
The service represents a scalable and sophisticated attack framework that leverages Adversary-in-the-Middle (AitM) techniques to bypass traditional authentication defenses, including standard multi-factor authentication (MFA) methods.
AitM Techniques Targeting MFA and Session Tokens
VoidProxy enables attackers with limited technical expertise to conduct advanced phishing operations by intercepting authentication flows in real-time.
Once a victim submits credentials on a lookalike login page, VoidProxy’s proxy server relays the information to legitimate Microsoft, Google, or Okta servers. This process captures usernames, passwords, and MFA responses, while also exfiltrating valid session cookies.
With session hijacking, attackers gain direct access to accounts without needing credentials again, making them capable of launching Business Email Compromise (BEC), financial fraud, and data exfiltration campaigns.
Unlike conventional phishing kits, VoidProxy dynamically adapts its infrastructure. Compromised accounts from legitimate Email Service Providers (ESPs) such as Constant Contact and Active Campaign are used to deliver lures, ensuring high deliverability rates.
URLs are further hidden through multiple redirects, TinyURL links, and hosting on cheap, disposable top-level domains like .icu, .xyz, or .sbs.
All sites are placed behind Cloudflare, concealing accurate server IP addresses and forcing investigators to deal with layered redirection and CAPTCHA challenges.
When federated accounts are targeted, VoidProxy redirects users through second-stage phishing pages mimicking Microsoft or Google login flows, but spoofed to integrate Okta’s SSO processes. This ensures that attackers are able also to intercept credentials in enterprise environments.
Advanced Infrastructure and Anti-Analysis Evasion
VoidProxy’s resilience stems from its hybrid use of disposable frontends and a durable backend operated via dynamic DNS wildcard providers like sslip[.]io and nip[.]io. These services directly resolve hostnames to embedded IP addresses, making takedowns more challenging.
Attackers’ infrastructure includes both the AitM proxy engine and a feature-rich administrative panel, which allows PhaaS customers to configure campaigns, monitor victims, and extract stolen session tokens either through direct download or via integrations such as Telegram bots and webhook alerts.
Okta researchers note that VoidProxy maintained cover for some time due to its strategic use of Cloudflare Workers, which act as a filter and lure loaders, ensuring only legitimate users, not automated analysis tools, are funneled into phishing flows.
Automated scanners are redirected to benign “welcome” pages, further complicating detection.
Okta recommends organizations enforce phishing-resistant authentication mechanisms such as WebAuthn or Okta FastPass, restrict access based on managed and secure devices, and leverage behavior-aware policies to identify anomalous sign-in requests.
Real-time responses, session binding to prevent cookie replay, and stronger protections for administrative actions are also advised to mitigate VoidProxy-style AitM phishing campaigns.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
 platform uncovered by Okta Threat Intelligence, named VoidProxy.){kind=link}