Analysis of the VoidProxy Phishing-as-a-Service Platform and its MFA Bypass Capabilities

A newly identified phishing-as-a-service (PhaaS) platform named VoidProxy has emerged as a significant threat to organizations using Microsoft 365 and Google accounts, including those secured by third-party single sign-on (SSO) providers like Okta. This sophisticated operation, detailed by Okta Threat Intelligence, represents a mature and scalable threat that lowers the technical barrier for cybercriminals to execute advanced Adversary-in-the-Middle (AitM) attacks. The service is specifically designed to bypass traditional multi-factor authentication (MFA) methods, such as SMS codes and one-time passwords from authenticator apps, by intercepting authentication flows in real-time to steal credentials, MFA codes, and critical session cookies¹.

Operational Scope and Impact

VoidProxy targets a wide range of organizations, from small businesses to large enterprises. While Okta has not provided a confirmed victim count, its threat intelligence team stated they have “observed high-confidence account takeovers in multiple entities.” They further noted that “By extension, we expect Microsoft and Google will have observed a larger number of ATO events, given that VoidProxy proxies non-federated users directly with Microsoft and Google servers”⁷. The activity is ongoing, with Okta detecting new infrastructure and generating customer alerts daily. Although attacks were observed by Okta beginning around January 2025, researchers have linked these campaigns to VoidProxy advertisements on the dark web dating back to August 2024, indicating a longer operational history than initially apparent⁷.

Technical Architecture and Evasion Techniques

The VoidProxy service operates on a PhaaS model, offering a full-featured admin panel for customers to configure campaigns, monitor victims in real-time, and access stolen data. The platform employs multiple layers of anti-analysis features to evade detection. Its infrastructure utilizes compromised email accounts from legitimate Email Service Providers (ESPs) like Constant Contact, ActiveCampaign, and NotifyVisitors to send phishing emails, leveraging the ESPs’ good reputation to bypass spam filters. These emails contain links to URL shorteners such as TinyURL, which undergo multiple redirects before landing on first-stage phishing sites^{1, 7}.

These disposable first-stage sites are hosted on low-cost domains (e.g., `.icu`, `.sbs`, `.cfd`, `.xyz`) and are protected by Cloudflare to hide their origin IP. A key evasion technique involves presenting users with a Cloudflare CAPTCHA challenge to filter out automated scanners and bots. A Cloudflare Worker (`*.workers.dev`) then acts as a gatekeeper, filtering traffic and loading the appropriate phishing page only for validated human users. This sophisticated filtering ensures that automated security scanners are redirected to a generic “Welcome” page, while human targets are served a replica of a Microsoft or Google login portal^{1, 7}.

Attack Chain and AitM Methodology

The core of VoidProxy’s effectiveness lies in its Adversary-in-the-Middle proxy capability. After a user enters their primary credentials on the first-stage phishing page, the type of account determines the next step. For local Microsoft or Google accounts, credentials are proxied directly to the legitimate service. For federated accounts using SSO providers like Okta, users are redirected to a second-stage phishing page that impersonates the SSO flow¹.

VoidProxy’s proxy server, hosted on ephemeral infrastructure, acts as a reverse proxy between the victim and the legitimate service. “It’s here that the sophisticated, multi-layered nature of VoidProxy comes into play,” according to the Okta report⁷. The proxy intercepts all communication, stealing usernames, passwords, and MFA responses. When a legitimate session cookie is issued, VoidProxy intercepts it, exfiltrates a copy, and makes it available to the attacker via the admin panel. “The attacker is now in possession of a valid session cookie and can access the victim’s account,” enabling full account takeover without needing the actual password or MFA device^{1, 4, 7}.

Administrative Infrastructure and Data Management

The operation uses a hybrid infrastructure approach: disposable front-end domains paired with a more persistent, resilient backend on serverless architecture. The core AitM proxy engine and admin panel are hosted on servers accessed via dynamic DNS services (`sslip[.]io`, `nip[.]io`). The admin panel provides customers with comprehensive dashboards for campaign management, settings configuration, and real-time access to stolen credentials and session tokens. Stolen data can be downloaded manually or sent via Telegram/webhook integrations. The dashboard includes functionality to track stolen data on a daily basis and displays victim counts by region on an interactive map^{1, 7}.

Industry Response and Defense Recommendations

Okta has notified Microsoft, Google, SaaS partners, and its customers about the VoidProxy threat². Google stated it has “durable protections” against such threats and endorsed the report’s recommendation to adopt passkeys as a strong phishing-resistant authentication method. A Google spokesperson noted: “We regularly see new phishing campaigns like this pop up, which is why we design durable protections to keep users safe from these types of attacks, including defenses against domain spoofing, phishing links, and compromised senders… We also agree with the report’s recommendation that users adopt passkeys”^{2, 5, 7}. Microsoft declined to comment but provided a link to general phishing mitigation guidance^{2, 7}.

Okta researchers recommend several defensive measures to counter VoidProxy and similar threats¹:

Enforce phishing-resistant MFA using FIDO2 WebAuthn (passkeys/physical security keys), Okta FastPass, or smart cards
Implement device trust policies to restrict access to sensitive applications
Apply context-aware access policies that deny or step-up authentication for anomalous requests
Conduct user training on phishing identification and establish easy reporting mechanisms
Automate threat response using integrated threat protection services
Secure admin sessions with IP session binding and forced re-authentication for sensitive actions

Researchers also encourage industry partners to support standards like the Interoperability Profile for Secure Identity in the Enterprise (IPSIE), which could ensure impacted parties can sign a user out of both their device and all their browser apps in real-time when interacting with known malicious infrastructure⁷.

Conclusion

The VoidProxy PhaaS operation represents a significant evolution in the phishing threat landscape by commoditizing advanced AitM capabilities for a broad range of cybercriminals. Its success against common MFA methods and its ongoing impact on organizations highlight the critical need to transition to phishing-resistant authentication. As Brett Winterford, VP of Okta Threat Intelligence, stated, “This… phishing infrastructure is fairly advanced both in terms of MFA bypass capabilities and the way in which it was concealed from analysis until now”⁸. A defense-in-depth strategy that incorporates identity, device, and network context is essential to effectively mitigate the risk posed by this and similar sophisticated PhaaS operations.