VoidProxy Phishing Campaign Steals Microsoft, Google Credentials Bypassing MFA

Security researchers from Okta Threat Intelligence have uncovered a sophisticated phishing-as-a-service platform called VoidProxy, which targets Microsoft 365 and Google accounts, including those protected by third-party single sign-on (SSO) providers like Okta. VoidProxy employs adversary-in-the-middle (AitM) tactics to intercept and steal credentials, multi-factor authentication (MFA) codes, and session cookies in real time, effectively bypassing common MFA methods such as SMS codes and one-time passwords. The phishing campaigns use compromised legitimate email service providers to send emails containing shortened links, which redirect victims through multiple stages, including Cloudflare CAPTCHA challenges, to evade detection and bot traffic. Once users enter their credentials on convincing fake login pages, VoidProxy proxies the authentication requests to legitimate servers, capturing session tokens that enable attackers to hijack sessions and gain unauthorized access. This PhaaS platform leverages Cloudflare Workers and disposable domains to conceal its infrastructure, making it difficult for security teams to analyze and block the attacks. Experts recommend adopting phishing-resistant authentication methods and robust security awareness training to mitigate risks posed by VoidProxy and similar AitM phishing threats.