The New Phishing Service Stealing Your Microsoft and Google Data

Cybercriminal groups have begun exploiting a new phishing service, VoidProxy, on a massive scale, enabling them to steal credentials, multi-factor authentication codes, and session tokens from Microsoft and Google accounts in real time. According to Okta Threat Intelligence, the platform operates under a “phishing-as-a-service” model, with its infrastructure simultaneously leveraged by multiple gangs as well as lone operators.

Okta’s observations indicate that targets span industries and regions alike—from small businesses to major enterprises. Account takeovers have already been confirmed in several organizations. Given that VoidProxy directly proxies non-federated users to Microsoft and Google servers, the cloud providers themselves are likely seeing an even greater number of compromises. The campaign has been active since January, while VoidProxy advertisements have circulated on darknet marketplaces since at least August 2024. New nodes are detected almost daily, evidence that the attacks remain ongoing.

The intrusion chain typically begins with phishing lures sent from legitimate yet compromised email accounts. Services such as Constant Contact, ActiveCampaign’s Postmark, and NotifyVisitors are frequently abused for distribution. Emails contain links disguised with URL shorteners (e.g., TinyURL), leading victims through multiple redirects before landing on the phishing page. These sites are hosted in low-cost domain zones such as .icu, .sbs, .cfd, .xyz, .top, and .home, concealed behind Cloudflare to obscure real IP addresses and complicate takedown efforts. Before logging in, users encounter a Cloudflare CAPTCHA, filtering out bots and improving the “quality” of traffic delivered to the attackers.

The victim is then presented with a counterfeit login page indistinguishable from the authentic Microsoft or Google portals. If the organization relies on third-party SSO (for example, via Okta), traffic is seamlessly redirected to mimic the usual authentication path. The victim proceeds to enter username, password, and MFA code. At this point, an Attacker-in-the-Middle (AiTM) proxy mechanism is triggered: instead of reaching the provider directly, credentials are routed through VoidProxy’s ephemeral infrastructure.

The proxy intercepts and relays sensitive data—username, password, MFA responses—to Microsoft, Google, or Okta. Once validated, the services issue a session cookie, a copy of which is stored on the attacker’s panel. With a valid session token, criminals can access the victim’s account without re-entering a password or MFA until the session expires.

VoidProxy functions not merely as a proxy, but as a turnkey platform. Buyers are provided with an administrative console to manage phishing campaigns, dashboards showing daily tallies of stolen credentials and cookies, maps marking victim regions, and flexible tools for redirecting traffic and customizing landing pages. Its constantly shifting infrastructure makes blocking efforts significantly harder.

Cloud providers’ responses vary. Google highlights its “durable” protections against domain spoofing, phishing links, and compromised senders, while urging users to adopt passkeys. Microsoft has remained silent. Okta recommends enabling phishing-resistant factors such as Okta FastPass and FIDO2 WebAuthn (hardware keys and passkeys), while enforcing strict policies that eliminate weaker authentication methods.

Another defensive vector lies in interoperability standards. Okta’s report urges industry adoption of the Interoperability Profile for Secure Identity in the Enterprise (IPSIE). Consistent application of such standards would, for instance, allow for the rapid termination of sessions across devices and browser applications once contact with malicious infrastructure is detected.

The takeaway is stark: AiTM phishing schemes shift the balance of power—neither correct passwords nor enabled MFA suffice if session cookies are siphoned off through a proxy. Today’s minimum baseline for protection includes abandoning one-time codes in favor of FIDO2/WebAuthn keys, enforcing strict authentication policies, filtering out disposable domain zones, blocking redirect chains, and monitoring login anomalies. VoidProxy attacks are active and evolving daily; the era of “configure once and forget” is over.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy