Okta Threat Intelligence has identified a high-risk phishing platform named VoidProxy. The service targets Microsoft 365 and Google users to capture sensitive data, including login credentials, multi-factor authentication tokens, and session cookies.
Attackers use compromised accounts from mass-mailing services like Constant Contact, Active Campaign, and NotifyVisitors to send phishing emails with shortened URLs. Recipients are redirected through several links before landing on phishing sites hosted on disposable domains such as .icu, .cfd, .xyz, .top, .sbs, and .home. These sites use Cloudflare for domain protection, present CAPTCHA challenges, and use Cloudflare Worker environments to filter and disguise traffic.
VoidProxy uses adversary-in-the-middle phishing techniques to intercept login credentials, multi-factor authentication tokens, and session cookies. By streamlining these mechanisms into a commercial toolkit, the platform streamlines phishing attacks, making them easier to deploy at scale.
After passing the CAPTCHA challenge, users are presented with a fraudulent login page that closely resembles the Microsoft or Google interface. For federated accounts using third-party SSO such as Okta, VoidProxy redirects users to additional phishing pages that replicate the Okta sign-in process and proxy authentication data to Okta servers. This approach allows attackers to intercept SSO credentials in real time.
When users enter their login information, the VoidProxy server forwards the data to the legitimate Microsoft or Google authentication service while covertly capturing usernames, passwords, MFA codes, and session cookies. This enables attackers to hijack accounts by stealing session cookies and bypassing multi-factor authentication protocols without alerting users or security systems.
Observed Activity:
Okta researchers report that multiple organizations across industries and locations have experienced account takeovers, though the scale of the impact remains under investigation. Indicators suggest the VoidProxy operation has been ongoing since at least January 2025. This timing aligns with dark web listings promoting the service, first spotted in August 2024. These impact and operational scale details are based on threat intelligence sources beyond the Okta advisory and should be considered unconfirmed.
Because VoidProxy directly intermediates non-federated user traffic through its own proxy servers, it is likely that both Microsoft and Google have experienced a substantial number of account takeover events, Okta noted.
Defensive Measures:
A spokesperson for Google emphasized the importance of having solid defenses against phishing campaigns. They explained that because “new phishing campaigns continue to emerge regularly,” the company builds “resilient security measures to protect users, including safeguards against domain spoofing and compromised sender addresses.” The spokesperson also endorsed the use of passkeys as an effective measure to guard against phishing attacks.
Okta noted that users enrolled in phishing-resistant authentication methods, including Okta FastPass, remained protected from VoidProxy attacks and received active warnings about attempted compromise.
Security Recommendations:
VoidProxy shows the ongoing evolution and commercialization of phishing-as-a-service platforms, raising the stakes for enterprise authentication and access controls.
Okta advises organizations to limit access to critical applications to managed devices with endpoint protection, apply risk-based access policies, bind sessions to IP addresses for administrative accounts, and require re-authentication before sensitive actions.
Beyond these measures, security practitioners point to phishing-resistant authentication options, such as Okta FastPass, FIDO2 WebAuthn keys, and smart cards, as effective safeguards against credential theft. Combining these strong authentication methods with layered access controls helps mitigate adversary-in-the-middle techniques, such as those used by VoidProxy.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
